CVE-2025-9096: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in ExpressGateway express-gateway versions up to 1.16.10. The vulnerability exists in the REST API endpoints, specifically in the library lib/rest/routes/apps.js component. The issue was discovered and publicly disclosed on August 17, 2025, with the identifier CVE-2025-9096. The vulnerability affects the REST Endpoint component where user input is not properly sanitized (NVD CVE, GitHub Issue).

The vulnerability stems from improper handling of user input in the /users/:id and /apps/:id routes, where unsanitized user-supplied input (req.params.id) is directly embedded into the server's response without proper HTML escaping. The vulnerability has received a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity but requiring user interaction. The vulnerable code in lib/rest/routes/apps.js directly concatenates user-controlled path parameters into error messages without validation or output encoding (GitHub Issue).

The vulnerability can lead to several serious consequences including session hijacking through stealing session cookies from logged-in administrators, privilege escalation by performing unauthorized actions using elevated accounts, data exfiltration of sensitive information such as user lists and application configurations, and potential phishing attacks through UI redress (GitHub Issue).

Two primary mitigation strategies are recommended: 1) Implement proper output encoding for all user-supplied data using an HTML encoding utility to prevent browsers from interpreting injected characters as executable HTML or JavaScript, 2) Set a safe Content-Type for error responses, preferably using text/plain or returning structured JSON instead of text/html. The vendor was contacted about this disclosure but did not respond (GitHub Issue).