CVE-2025-27867
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Apache Felix HTTP Webconsole Plugin that allows attackers to inject malicious scripts into web pages. It affects users of Apache Felix HTTP Webconsole Plugin versions 1.X through 1.2.0. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.
💻 Affected Systems
- Apache Felix HTTP Webconsole Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative access to the Felix Webconsole, potentially compromising the entire OSGi container and deployed applications.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the Webconsole interface.
If Mitigated
Limited impact if Webconsole is not exposed to untrusted users and proper input validation is implemented.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity, but authentication to the Webconsole is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2
Vendor Advisory: https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp
Restart Required: Yes
Instructions:
1. Download Apache Felix HTTP Webconsole Plugin version 1.2.2 from official Apache repositories. 2. Replace the vulnerable plugin JAR file in your Felix installation. 3. Restart the OSGi container or Felix framework.
🔧 Temporary Workarounds
Restrict Webconsole Access
allLimit access to the Felix Webconsole to trusted IP addresses only.
Configure firewall rules or web server access controls to restrict access to the Webconsole port (typically 8080).
Disable Webconsole
allTemporarily disable the Webconsole plugin if not required.
Stop the Felix framework, remove or rename the webconsole plugin JAR file, then restart.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers for the Webconsole.
- Ensure all users with Webconsole access have strong, unique passwords and MFA enabled.
🔍 How to Verify
Check if Vulnerable:
Check the version of the Apache Felix HTTP Webconsole Plugin JAR file in your Felix installation.Check Version:
Check the JAR file name or manifest: 'unzip -p org.apache.felix.http.webconsole-*.jar META-INF/MANIFEST.MF | grep Bundle-Version' on Linux, or inspect JAR properties on Windows.Verify Fix Applied:
Verify that the plugin version is 1.2.2 or higher after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual or malicious script patterns in Webconsole access logs, unexpected authentication attempts.
Network Indicators:
- HTTP requests containing script tags or JavaScript payloads to the Webconsole endpoint.
SIEM Query:
source="felix-webconsole" AND (url="*<script>*" OR method="POST" AND status=200 AND size>normal)