CVE-2025-24853
Published: 31 July 2025
Summary
CVE-2025-24853 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Apache Jspwiki. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-24853 is a cross-site scripting vulnerability (CWE-79) affecting Apache JSPWiki. It stems from insufficient input sanitization in the wiki markup syntax used for header links, where a crafted request can inject executable JavaScript; subsequent analysis confirmed the same flaw exists in the markdown parser as well.
An unauthenticated remote attacker can exploit the issue over the network by submitting a maliciously formatted link creation request. Successful exploitation executes arbitrary JavaScript in the victim's browser, enabling theft of sensitive information such as session tokens or other client-side data, while the CVSS 7.5 rating reflects high impact on integrity with no required privileges or user interaction.
Advisories from the JSPWiki project and the oss-security mailing list direct users to upgrade to version 2.12.3 or later to remediate the flaw.
The associated EPSS score has remained flat at 0.0120 with no observed rise after disclosure, and no public reports of active exploitation have been noted in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23255
Vulnerability details
A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team…
more
showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.