CVE-2025-2901: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store
4.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/6/2025
Updated
5/6/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jboss.hal:hal-console | maven | < 3.7.11.Final | 3.7.11.Final |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a stored XSS caused by improper sanitization of user-supplied server URLs before storage, and lack of adequate sanitization when rendering these stored URLs. The analysis of the patch commit 216de3b8aa82ea92df10cc296d88c68467cf2c52 reveals several key changes:
- Input Hardening: The
ServerActions.editUrlmethod, which previously accepted a free-form string for the server URL, was changed to use a structured form (scheme, host, port). This restricts the user's ability to inject malicious script into the URL components during input. - Data Storage and Retrieval: The
ServerUrlclass was refactored to handle these structured components and itsgetUrl()method now primarily constructs the URL from these parts, returning a rawStringinstead ofSafeHtml. - Sanitization at Rendering:
- In
ServerActions, when displaying the server URL, explicit sanitization (SafeHtmlUtils.fromString()) was added before injecting the URL into HTML. This is a direct fix for an XSS rendering point. - In
DeploymentPreview, the server URL (now a raw string) is used directly in anhrefattribute. This remains a potential execution point if a malicious URL could still be formed and stored, despite input hardening. - In
RestResourcePreview, the server URL (raw string) is passed to another method,specifyParameters. This is another point where the malicious stored data is processed.
- In
The identified vulnerable functions are either responsible for the initial flawed input (ServerActions.editUrl in its vulnerable state), or are points where the stored malicious URL is rendered or processed, leading to XSS execution (the onSuccess methods in ServerActions, DeploymentPreview, and RestResourcePreview). The commit addresses the vulnerability by modifying these input and rendering pathways.