CVE-2025-0104 – A reflected cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-0104?

CVE-2025-0104 has a CVSS score of 6.1 (MEDIUM). A reflected cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition allows attackers to execute malicious JavaScript in authenticated users' browsers via malicious links. This affects all Expedition users who click on crafted links, potentially leading to session theft and phishing attacks.

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition allows attackers to execute malicious JavaScript in authenticated users' browsers via malicious links. This affects all Expedition users who click on crafted links, potentially leading to session theft and phishing attacks.

💻 Affected Systems

Products:

Palo Alto Networks Expedition

Versions: All versions prior to the fix

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction (clicking malicious link) and authenticated Expedition session.

📦 What is this software?

Expedition by Paloaltonetworks

View all CVEs affecting Expedition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal authenticated Expedition sessions, gain administrative access to Expedition, and potentially pivot to other network systems through stolen credentials.

🟠

Likely Case

Attackers perform session hijacking to access Expedition data, modify configurations, or launch phishing attacks against other users.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check PAN-SA-2025-0001 for specific fixed versions

Vendor Advisory: https://security.paloaltonetworks.com/PAN-SA-2025-0001

Restart Required: Yes

Instructions:

1. Review PAN-SA-2025-0001 advisory. 2. Download and apply the latest Expedition update. 3. Restart Expedition services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation and output encoding for all user-supplied data in Expedition.

Content Security Policy

all

Deploy Content Security Policy headers to restrict script execution sources.

🧯 If You Can't Patch

Implement network segmentation to restrict access to Expedition management interface
Educate users about phishing risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check Expedition version against the advisory; test with safe XSS payloads in user input fields.

Check Version:

Check Expedition web interface or documentation for version information

Verify Fix Applied:

Verify Expedition version is updated per advisory; test that XSS payloads are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual user activity patterns
Multiple failed login attempts from same session

Network Indicators:

Suspicious URLs containing script tags in Expedition requests

SIEM Query:

Search for Expedition logs containing script tags or encoded JavaScript in URL parameters

📊 Metadata

CVE ID: CVE-2025-0104

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.2% exploit probability (41.5th percentile)

Published: January 11, 2025

Last Updated: January 23, 2026

🔗 References

https://security.paloaltonetworks.com/PAN-SA-2025-0001 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0104, you might also want to check these: