Login Sign Up

CVE-2025-2160

8.1 HIGH
Cross-Site Scripting

📋 TL;DR

Pega Platform versions 8.4.3 through Infinity 24.2.1 contain a cross-site scripting (XSS) vulnerability in the Mashup component. This allows attackers to inject malicious scripts into web pages viewed by other users. Organizations using affected Pega Platform versions with Mashup functionality are at risk.

💻 Affected Systems

Products:
  • Pega Platform
Versions: 8.4.3 to Infinity 24.2.1
Operating Systems: All platforms running Pega Platform
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Mashup functionality enabled and accessible.

📦 What is this software?

Pega Platform by Pega

View all CVEs affecting Pega Platform →

Pega Platform by Pega

View all CVEs affecting Pega Platform →

Pega Platform by Pega

View all CVEs affecting Pega Platform →

Pega Platform by Pega

View all CVEs affecting Pega Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of application pages through injected content.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Infinity 24.2.2 or later

Vendor Advisory: https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note

Restart Required: Yes

Instructions:

1. Review the Pega security advisory. 2. Upgrade to Infinity 24.2.2 or later. 3. Restart the Pega Platform services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable Mashup functionality

all

Temporarily disable Mashup components if not required for business operations

Implement WAF rules

all

Configure web application firewall to block XSS patterns in Mashup requests

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers
  • Enable input validation and output encoding for all user-controlled data in Mashup components

🔍 How to Verify

Check if Vulnerable:

Check Pega Platform version and compare against affected range (8.4.3 to Infinity 24.2.1)

Check Version:

Check Pega Platform administration console or configuration files for version information

Verify Fix Applied:

Verify version is Infinity 24.2.2 or later and test Mashup functionality for XSS vectors

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in Mashup-related requests
  • Multiple failed XSS attempts in application logs

Network Indicators:

  • Suspicious script injection patterns in HTTP requests to Mashup endpoints

SIEM Query:

source="pega_logs" AND ("Mashup" OR "XSS" OR "script") AND status="200"

📊 Metadata

CVE ID: CVE-2025-2160
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-79
EPSS Score: 0.21% exploit probability (42.5th percentile)
Published: April 14, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2160, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)