CVE-2025-30755
📋 TL;DR
OpenGrok 1.14.1 has a reflected cross-site scripting vulnerability in the cross reference page due to improper sanitization of the revision parameter. Attackers can inject malicious scripts that execute in victims' browsers when they visit crafted URLs. This affects all OpenGrok 1.14.1 deployments with the cross reference feature enabled.
💻 Affected Systems
- OpenGrok
📦 What is this software?
Opengrok by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full account compromise.
Likely Case
Attackers steal session tokens to gain unauthorized access to the OpenGrok instance or perform limited actions within the user's context.
If Mitigated
Script execution is blocked by modern browser XSS protections or Content Security Policy, limiting impact to basic UI manipulation.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but no authentication. Attack complexity is low due to direct parameter reflection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.2 or later
Vendor Advisory: https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html
Restart Required: No
Instructions:
1. Download OpenGrok 1.14.2 or later from official sources. 2. Replace the vulnerable OpenGrok installation with the patched version. 3. Verify the fix by testing the revision parameter with XSS payloads.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the revision parameter before processing.
Add input validation in the cross reference servlet to filter/reject malicious characters
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Disable cross reference functionality if not required
🔍 How to Verify
Check if Vulnerable:
Test by accessing the cross reference page with a payload like: /xref?revision=<script>alert('XSS')</script>Check Version:
Check the OpenGrok version in the web interface footer or configuration filesVerify Fix Applied:
After patching, test with the same payload and verify no script execution occurs.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing script tags or JavaScript in revision parameter
- Unusual parameter values in cross reference page requests
Network Indicators:
- HTTP requests with suspicious characters in revision parameter
- Multiple failed XSS attempts from same source
SIEM Query:
source="opengrok_access.log" AND uri="/xref" AND (revision CONTAINS "<script>" OR revision CONTAINS "javascript:")