CVE-2025-9095 is a cross-site scripting (XSS) vulnerability identified in the ExpressGateway express-gateway product, specifically affecting versions 1.16.0 through 1.16.10. The vulnerability resides in the REST endpoint implementation within the library file lib/rest/routes/users.js. The flaw allows an attacker to inject malicious scripts into web pages viewed by other users, exploiting improper input handling or sanitization in the user-related REST API routes. The vulnerability can be triggered remotely without requiring authentication, although some level of privileges (PR:L) is needed, and user interaction is necessary (UI:P) for the attack to succeed. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vendor has been contacted but has not responded or provided a patch, and no known exploits have been observed in the wild yet. The vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Given the REST endpoint nature, this could affect administrative or user management interfaces, increasing the risk if privileged users are targeted. The lack of vendor response and public disclosure increases the risk of exploitation by attackers leveraging this vulnerability in unpatched environments.

For European organizations using ExpressGateway express-gateway versions 1.16.0 to 1.16.10, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to user sessions, data leakage, or manipulation of user accounts, especially if administrative users are targeted. This could compromise the confidentiality and integrity of sensitive data processed by the gateway, which often acts as an API gateway or microservices proxy in enterprise environments. The attack vector being remote and requiring no authentication lowers the barrier for attackers, increasing the likelihood of exploitation in exposed deployments. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance issues and reputational damage if exploited. Additionally, the absence of vendor patches means organizations must rely on internal mitigations or upgrades to newer, unaffected versions once available. The vulnerability could also be leveraged as a foothold for further attacks within the network, impacting availability if combined with other exploits.

1. Immediate mitigation should include restricting access to the REST endpoints related to user management to trusted networks or VPNs to reduce exposure. 2. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the affected endpoints. 3. Conduct thorough input validation and output encoding on all user-supplied data in the REST API, especially in the users.js routes, to prevent script injection. 4. Monitor logs for unusual or suspicious requests targeting the REST endpoints to detect potential exploitation attempts. 5. If feasible, upgrade to a newer version of ExpressGateway that addresses this vulnerability once released by the vendor or consider alternative API gateway solutions with active security support. 6. Educate users, especially administrators, about the risks of XSS and encourage cautious behavior regarding links or content received through the gateway interface. 7. Consider deploying Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. 8. Regularly review and audit the gateway configuration and codebase for similar vulnerabilities and ensure secure coding practices are followed.