CVE-2025-60646 – This stored XSS vulnerability in Xxl-api v1.3.0... (How to Fix)

Q: What is the severity of CVE-2025-60646?

CVE-2025-60646 has a CVSS score of 6.1 (MEDIUM). This stored XSS vulnerability in Xxl-api v1.3.0 allows attackers to inject malicious scripts into the Business Line Management module's Name parameter. When other users view the affected page, their browsers execute the attacker's code. Anyone using the vulnerable version of Xxl-api is affected.

📋 TL;DR

This stored XSS vulnerability in Xxl-api v1.3.0 allows attackers to inject malicious scripts into the Business Line Management module's Name parameter. When other users view the affected page, their browsers execute the attacker's code. Anyone using the vulnerable version of Xxl-api is affected.

💻 Affected Systems

Products:

Xxl-api

Versions: v1.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Business Line Management module. Requires attacker to have access to inject into the Name parameter.

📦 What is this software?

Xxl Api by Xuxueli

View all CVEs affecting Xxl Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of the application interface, or data exfiltration from user browsers.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting UI display without code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to modify the Name parameter in the Business Line Management module. Public proof-of-concept available in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/xuxueli/xxl-api/issues/65

Restart Required: No

Instructions:

1. Monitor GitHub repository for patches. 2. Implement input validation and output encoding. 3. Consider upgrading if newer versions are available.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize Name parameter inputs

Implement regex filter: /^[a-zA-Z0-9\s\-_.]+$/ for Name field

Output Encoding

all

Apply proper HTML encoding when displaying Name parameter values

Use HTML entity encoding: &lt; for <, &gt; for >, &amp; for &, &quot; for ", &#39; for '

🧯 If You Can't Patch

Implement WAF rules to block XSS payloads in Name parameter
Restrict access to Business Line Management module to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test by injecting <script>alert('XSS')</script> into Name parameter of Business Line Management module

Check Version:

Check package.json or application configuration for version number

Verify Fix Applied:

Verify injected scripts no longer execute when viewing the affected page

📡 Detection & Monitoring

Log Indicators:

Unusual characters in Name parameter logs
Multiple failed validation attempts for Name field

Network Indicators:

POST requests to Business Line Management with script tags in parameters

SIEM Query:

source="web_logs" AND (uri="/business_line" OR uri="/api/business_line") AND (param="name" AND value MATCHES "<script.*>")

📊 Metadata

CVE ID: CVE-2025-60646

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15th percentile)

Published: November 12, 2025

Last Updated: December 3, 2025

🔗 References

https://gist.github.com/LockeTom/0a02c0b2e2011abfbdf4e5fdbcc9b371 Exploit,Third Party Advisory
https://github.com/xuxueli/xxl-api/issues/65 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60646, you might also want to check these: