CVE-2025-21572 – OpenGrok 1.13.25 contains a reflected Cross-Sit... (How to Fix)

Q: What is the severity of CVE-2025-21572?

CVE-2025-21572 has a CVSS score of 6.1 (MEDIUM). OpenGrok 1.13.25 contains a reflected Cross-Site Scripting (XSS) vulnerability in its history view page due to improper sanitization of path segments. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit crafted URLs. Organizations using OpenGrok for source code browsing are affected.

📋 TL;DR

OpenGrok 1.13.25 contains a reflected Cross-Site Scripting (XSS) vulnerability in its history view page due to improper sanitization of path segments. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit crafted URLs. Organizations using OpenGrok for source code browsing are affected.

💻 Affected Systems

Products:

OpenGrok

Versions: 1.13.25

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with history view functionality enabled and accessible.

📦 What is this software?

Opengrok by Oracle

View all CVEs affecting Opengrok →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking leading to unauthorized access to source code repositories, credential theft, or defacement of the OpenGrok interface.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Oracle security advisories for patched version

Vendor Advisory: https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html

Restart Required: Yes

Instructions:

1. Check Oracle security advisory for patched version
2. Upgrade OpenGrok to patched version
3. Restart OpenGrok service
4. Verify fix by testing XSS payloads

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF)

all

Deploy WAF with XSS protection rules to block malicious payloads

Add Content Security Policy

all

Implement strict CSP headers to mitigate script injection

Add 'Content-Security-Policy: default-src 'self'' to web server configuration

🧯 If You Can't Patch

Restrict access to OpenGrok using network segmentation or authentication
Disable history view functionality if not required

🔍 How to Verify

Check if Vulnerable:

Test by injecting XSS payloads in path parameters of history view URLs and checking if scripts execute

Check Version:

Check OpenGrok version in web interface or configuration files

Verify Fix Applied:

Retest XSS payloads after patching; scripts should be properly sanitized and not execute

📡 Detection & Monitoring

Log Indicators:

Unusual long URLs with script tags in access logs
Multiple failed XSS attempts

Network Indicators:

HTTP requests containing script tags or JavaScript in URL parameters

SIEM Query:

web.url:*script* OR web.url:*javascript:* AND dest.app:"opengrok"

📊 Metadata

CVE ID: CVE-2025-21572

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.3th percentile)

Published: May 2, 2025

Last Updated: June 17, 2025

🔗 References

https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21572, you might also want to check these: