Cyber Resilience

CVE-2025-24853

High

Published: 31 July 2025

Published
31 July 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0120 79.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24853 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Apache Jspwiki. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-24853 is a cross-site scripting vulnerability (CWE-79) affecting Apache JSPWiki. It stems from insufficient input sanitization in the wiki markup syntax used for header links, where a crafted request can inject executable JavaScript; subsequent analysis confirmed the same flaw exists in the markdown parser as well.

An unauthenticated remote attacker can exploit the issue over the network by submitting a maliciously formatted link creation request. Successful exploitation executes arbitrary JavaScript in the victim's browser, enabling theft of sensitive information such as session tokens or other client-side data, while the CVSS 7.5 rating reflects high impact on integrity with no required privileges or user interaction.

Advisories from the JSPWiki project and the oss-security mailing list direct users to upgrade to version 2.12.3 or later to remediate the flaw.

The associated EPSS score has remained flat at 0.0120 with no observed rise after disclosure, and no public reports of active exploitation have been noted in the provided references.

EU & UK References

Vulnerability details

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team…

more

showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
jspwiki
≤ 2.12.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References