CVE-2025-2361: 
Linux Debian vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Mercurial SCM's web interface (hgweb) component, tracked as CVE-2025-2361. The vulnerability affects Mercurial SCM versions up to 4.5.3, where the manipulation of the 'cmd' argument in the web interface could lead to cross-site scripting attacks. The vulnerability was publicly disclosed on March 17, 2025, and was fixed with the release of Mercurial 6.9.4 (NVD, OSS Security).

The vulnerability is classified as a cross-site scripting (XSS) issue (CWE-79) in the web interface component. The CVSS v4.0 base score is 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, and CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability allows an attacker to forge a link that would execute JavaScript in the target browser (VulDB, NVD).

The vulnerability enables attackers to execute arbitrary JavaScript code in victims' browsers through specially crafted links. However, in production setups, such injections might be caught by the WSGI layer, with popular implementations like mod_wsgi returning a 500 error instead of executing the malicious code (OSS Security).

The vulnerability has been fixed in Mercurial version 6.9.4. Users are strongly advised to upgrade to this version. For systems where immediate upgrade is not possible, the WSGI layer (particularly mod_wsgi) provides some mitigation by catching such injections and returning a 500 error (OSS Security).

The vulnerability disclosure revealed gaps in Mercurial's security handling practices, as noted by the project maintainers. The bug was particularly notable as it had existed since 2006. The project has announced plans to improve their security handling practices, including refreshing their security list to better handle future vulnerabilities (OSS Security).