CVE-2025-2361 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-2361?

CVE-2025-2361 has a CVSS score of 4.3 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in Mercurial SCM's web interface. Attackers can inject malicious scripts via the 'cmd' parameter, potentially compromising user sessions or stealing credentials. Organizations using Mercurial SCM with the web interface enabled are affected.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Mercurial SCM's web interface. Attackers can inject malicious scripts via the 'cmd' parameter, potentially compromising user sessions or stealing credentials. Organizations using Mercurial SCM with the web interface enabled are affected.

💻 Affected Systems

Products:

Mercurial SCM

Versions: 4.5.3/71.19.145.211

Operating Systems: All platforms running Mercurial SCM

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the web interface enabled and accessible.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, compromise the Mercurial server, and potentially pivot to other systems in the network.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the Mercurial web interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and can be executed remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Disable Web Interface

all

Disable the Mercurial web interface if not required.

Edit Mercurial configuration to remove or disable web interface settings

Implement WAF Rules

all

Add web application firewall rules to block malicious 'cmd' parameter values.

Add WAF rule: Block requests containing script tags or JavaScript in 'cmd' parameter

🧯 If You Can't Patch

Restrict network access to Mercurial web interface using firewall rules
Implement strict input validation and output encoding for the 'cmd' parameter

🔍 How to Verify

Check if Vulnerable:

Check if Mercurial version matches affected version and web interface is enabled.

Check Version:

hg --version

Verify Fix Applied:

Test the 'cmd' parameter with XSS payloads to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual 'cmd' parameter values in web server logs
Multiple failed XSS attempts

Network Indicators:

HTTP requests with script tags or JavaScript in 'cmd' parameter

SIEM Query:

source="mercurial_logs" AND (cmd="<script>" OR cmd="javascript:")

📊 Metadata

CVE ID: CVE-2025-2361

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.18% exploit probability (39th percentile)

Published: March 17, 2025

Last Updated: March 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2361, you might also want to check these: