CVE-2025-25189

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-25189

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25189.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25189

Aliases

GHSA-pw7m-p9q7-357p

Published

2025-02-10T22:05:20.596Z

Modified

2025-12-05T08:53:33.060265Z

Severity

5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator

Summary

[XBOW-025-031] Reflected Cross-Site Scripting via jobid Parameter in ZOO-Project WPS publish.py CGI Script

Details

The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the jobid parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the jobid parameter which will be executed when rendered by the victim's browser. Commit 7a5ae1a contains a fix for the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25189.json",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/zoo-project/zoo-project

Affected ranges

Type: GIT
Repo: https://github.com/zoo-project/zoo-project
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac

Affected versions

rel-1.*

rel-1.9.0

rel-1.9.0-rc1

rel-2.*

rel-2.0.0

rel-2.0.0-rc1

rel-2.0.0-rc2

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "length": 1569.0,
            "function_hash": "231051355282328300929266040077176613138"
        },
        "signature_type": "Function",
        "id": "CVE-2025-25189-5067f225",
        "target": {
            "function": "createExceptionJ",
            "file": "zoo-project/zoo-kernel/service_json.c"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "233984776589764210062644956435915334257",
                "244379300849682835098133070406481459564",
                "329737052098170391194376784835347477897"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-25189-a3fd363b",
        "target": {
            "file": "zoo-project/zoo-kernel/service.h"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "length": 1727.0,
            "function_hash": "332866283505252080449139314528649096373"
        },
        "signature_type": "Function",
        "id": "CVE-2025-25189-b6913c67",
        "target": {
            "function": "printLiteralValueJ",
            "file": "zoo-project/zoo-kernel/service_json.c"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "61758777023036539781188222581923761990",
                "123228442083373715887782275403031334270",
                "290541340597568225788551552617770685377",
                "246499266982688774401004635751521676379",
                "178305232653255818917589700746593895291",
                "325429144131440520674049134488098501385",
                "137631184978948274358107832998115890985",
                "96045283971812406168717037482414450696",
                "296967069365433062667619170013873586707",
                "323151586371492364894261326487252015706",
                "266357938995378404256731681192808036005",
                "27065288854430022702506479920029995223",
                "243573816431965537277124208289828124096",
                "243434971390711590451921275056476434785",
                "19950942973068469210113308486009826682",
                "91216978378999347352446281611973954741",
                "263194597905717967354733425679309247885",
                "79663893416428291219048993186292443908",
                "290146112562556495713398821167521725086",
                "162815685142869758932705777625506719685",
                "305842605685069034620932908792338014380",
                "272498121683583580315933313419172208722",
                "221940365454503664883852765900501385102",
                "336030023939419481413763633331065642023",
                "156545883720139552310519992345909428270",
                "177932859639400821701562315964404664238",
                "247773960059199543877765328136950522611",
                "323935482085635800879566781697484132722",
                "264148319118229229975853034297950154388",
                "319918256575138777346952304637472224285",
                "293051234214072194378832180919741917460"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-25189-b6ad03a8",
        "target": {
            "file": "zoo-project/zoo-kernel/service_json.c"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "length": 2736.0,
            "function_hash": "81091687839805494614621801245179318795"
        },
        "signature_type": "Function",
        "id": "CVE-2025-25189-ca99eefb",
        "target": {
            "function": "printRawdataOutput",
            "file": "zoo-project/zoo-kernel/response_print.c"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "length": 3417.0,
            "function_hash": "210954194874373732423898703623760378204"
        },
        "signature_type": "Function",
        "id": "CVE-2025-25189-e1069d52",
        "target": {
            "function": "createStatus",
            "file": "zoo-project/zoo-kernel/service_json.c"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/zoo-project/zoo-project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "135378663830043560440289645782142949249",
                "148983788641718280021606953937117514365",
                "200386134473859730309274428582515489008"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-25189-e80c5968",
        "target": {
            "file": "zoo-project/zoo-kernel/response_print.c"
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25189.json"