Apache SkyWalking, a popular open-source tool for application performance monitoring, faces a stored cross-site scripting vulnerability tracked as CVE-2025-54057.
This flaw affects versions up to 10.2.0 and allows attackers to inject malicious scripts into web interfaces, potentially compromising user sessions and data.
The Apache team released version 10.3.0 to fix the issue, urging immediate upgrades.
The vulnerability stems from improper handling of script-related HTML tags in SkyWalking’s web pages, classified as basic XSS under CWE-79.
Attackers can submit payloads such as script tags via inputs tied to dashboards, logs, traces, or widget URLs, which store unsanitized data in the backend database.
When administrators view affected pages, the scripts execute in their browsers with full application privileges, bypassing normal defenses.
Exploitation follows a simple flow: first, inject code via modifiable fields; second, persist in storage; third, execute on page load without user clicks.
No advanced skills are needed, only access to submit data rendered in the UI. Potential outcomes include session cookie theft for account takeover, the insertion of fake metrics to hide attacks, or redirects to phishing sites.
| CVE ID | Severity | CVSS v3.1 Score | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2025-54057 | Important | 6.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | <= 10.2.0 | 10.3.0 |
Stored XSS heightens the risk in monitoring tools like SkyWalking, as compromised dashboards could leak credentials, enable lateral movement, or tamper with telemetry across distributed systems.
Organizations in finance or cloud environments face elevated threats from data exposure or compliance failures.
To mitigate, upgrade to 10.3.0 promptly and verify via the dashboard. Audit logs for anomalies, rotate credentials, invalidate sessions, and scan for injections.
Security researcher Vinh Nguyễn Quang reported the flaw, disclosed on November 27, 2025, via Apache’s dev list.
SkyWalking users should prioritize this patch to safeguard observability platforms. For more, check NVD or Apache advisories.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…