CVE-2025-25247 — Apache Felix Webconsole: XSS in services console

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8. Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.

How to fix CVE-2025-25247

To remediate CVE-2025-25247, upgrade the affected package to a fixed version below.

—upgrade to 4.9.10 or later

Is CVE-2025-25247 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0, < 4.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-25247
PATCHgithub.com/apache/felix-dev
WEBgithub.com/apache/felix-dev/commit/87513ea3533fdb79d9e2b251410bf2bfbd63941e
WEBlists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m