CVE-2025-9096: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in ExpressGateway express-gateway versions up to 1.16.10. The vulnerability exists in the library lib/rest/routes/apps.js component of the REST Endpoint. The issue was discovered and publicly disclosed in August 2025, with the vendor being notified but not responding to the disclosure (VulDB).

The vulnerability stems from improper handling of user input in the REST API endpoints, specifically in the /users/:id and /apps/:id routes. The backend API directly concatenates user-controlled path parameters (req.params.id) into error messages without proper validation or output encoding. These messages are sent as HTML responses using res.send(), causing the browser to interpret injected scripts as executable code. The vulnerability has received a CVSS v4.0 score of 5.1 (Medium) and CVSS v3.1 score of 3.5 (Low) (GitHub Issue).

The exploitation of this vulnerability could lead to several security implications including session hijacking through stealing session cookies from logged-in administrators, privilege escalation by performing unauthorized actions using elevated accounts, data exfiltration of sensitive information such as user lists and application configurations, and potential phishing attacks through injected malicious scripts (GitHub Issue).

Two primary mitigation strategies have been recommended: 1) Implement output encoding for all user-supplied data using HTML encoding before including it in server responses, preventing browsers from interpreting injected characters as executable HTML or JavaScript, 2) Set a safe Content-Type for error responses, using text/plain or returning structured JSON instead of text/html, which reduces the risk of script execution by the browser (GitHub Issue).