Apache SkyWalking, a popular open-source tool for application performance monitoring, faces a stored cross-site scripting vulnerability tracked as CVE-2025-54057.
This flaw affects versions up to 10.2.0 and allows attackers to inject malicious scripts into web interfaces, potentially compromising user sessions and data.
The Apache team released version 10.3.0 to fix the issue, urging immediate upgrades.
Vulnerability Mechanics
The vulnerability stems from improper handling of script-related HTML tags in SkyWalking’s web pages, classified as basic XSS under CWE-79.
Attackers can submit payloads such as script tags via inputs tied to dashboards, logs, traces, or widget URLs, which store unsanitized data in the backend database.
When administrators view affected pages, the scripts execute in their browsers with full application privileges, bypassing normal defenses.
Exploitation follows a simple flow: first, inject code via modifiable fields; second, persist in storage; third, execute on page load without user clicks.
No advanced skills are needed, only access to submit data rendered in the UI. Potential outcomes include session cookie theft for account takeover, the insertion of fake metrics to hide attacks, or redirects to phishing sites.
| CVE ID | Severity | CVSS v3.1 Score | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2025-54057 | Important | 6.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | <= 10.2.0 | 10.3.0 |
Risks and Response Steps
Stored XSS heightens the risk in monitoring tools like SkyWalking, as compromised dashboards could leak credentials, enable lateral movement, or tamper with telemetry across distributed systems.
Organizations in finance or cloud environments face elevated threats from data exposure or compliance failures.
To mitigate, upgrade to 10.3.0 promptly and verify via the dashboard. Audit logs for anomalies, rotate credentials, invalidate sessions, and scan for injections.
Security researcher Vinh Nguyễn Quang reported the flaw, disclosed on November 27, 2025, via Apache’s dev list.
SkyWalking users should prioritize this patch to safeguard observability platforms. For more, check NVD or Apache advisories.
