CVE-2025-11360
📋 TL;DR
This vulnerability in jakowenko double-take allows attackers to inject malicious scripts via the X-Ingress-Path header, leading to cross-site scripting (XSS) attacks. The vulnerability affects all users running double-take versions up to 1.13.1. Attackers can exploit this remotely to execute arbitrary JavaScript in victims' browsers.
💻 Affected Systems
- jakowenko double-take
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deliver malware payloads to users accessing the vulnerable application.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected malicious content.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still bypass some controls.
🎯 Exploit Status
Remote exploitation requires sending crafted HTTP requests with malicious X-Ingress-Path headers to the vulnerable API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.2
Vendor Advisory: https://github.com/jakowenko/double-take/releases/tag/v1.13.2
Restart Required: Yes
Instructions:
1. Stop the double-take service. 2. Update to version 1.13.2 using your package manager or by downloading from GitHub releases. 3. Restart the service. 4. Verify the patch commit e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50 is applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a web application firewall (WAF) or reverse proxy to filter and sanitize X-Ingress-Path headers before they reach the application.
# Example nginx configuration to block suspicious headers
location /api/ {
proxy_set_header X-Ingress-Path "";
proxy_pass http://double-take:3000;
}
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact by restricting script execution sources.
# Example CSP header
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';" always;
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to filter malicious X-Ingress-Path headers.
- Isolate the vulnerable application behind a reverse proxy that sanitizes or blocks the X-Ingress-Path header entirely.
🔍 How to Verify
Check if Vulnerable:
Check if double-take version is 1.13.1 or earlier by examining the application version or package metadata.Check Version:
docker inspect jakowenko/double-take:latest | grep -i version || check package.json in installation directoryVerify Fix Applied:
Verify the installed version is 1.13.2 or later and confirm the commit hash includes e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50.📡 Detection & Monitoring
Log Indicators:
- Unusual or malformed X-Ingress-Path header values in HTTP request logs
- JavaScript payloads in request headers
Network Indicators:
- HTTP requests with suspicious X-Ingress-Path headers containing script tags or JavaScript code
SIEM Query:
source="*double-take*" AND (X-Ingress-Path="*<script>*" OR X-Ingress-Path="*javascript:*")