Security Alert: Apache SkyWalking Stored XSS Vulnerability (CVE-2025-54057)

Apache SkyWalking, the widely adopted open-source Application Performance Monitoring (APM) system used for distributed systems in Cloud Native architectures, has released a critical security update. The project has patched a Stored Cross-Site Scripting (XSS) vulnerability that could allow attackers to compromise dashboards and the administrators who view them.

The vulnerability, tracked as CVE-2025-54057, is classified as “Important” and involves the “Improper Neutralization of Script-Related HTML Tags” within a web page.

Unlike Reflected XSS, which requires a victim to click a specific link, Stored XSS is particularly dangerous because the malicious script is permanently saved on the target server (in this case, likely within the SkyWalking OAP server or UI configuration). When an administrator or user opens the affected dashboard or page, the malicious script executes automatically in their browser.

While the official advisory highlights basic XSS, external analysis indicates the flaw specifically involves insufficient validation of URLs for widgets, allowing attackers to inject malicious payloads that persist in the monitoring interface.

The vulnerability was reported by security researcher Vinh Nguyễn Quang.

For an APM tool like SkyWalking, which provides “monitoring, tracing and diagnosing capabilities,” a Stored XSS flaw presents a unique risk. Attackers could potentially:

Hijack Sessions: Steal session cookies of administrators viewing the infected widgets.
Redirect Users: Force users to malicious external sites.
Manipulate Data: Alter the visualization of metrics to hide malicious activity or create false alarms.

The Apache SkyWalking team has released a fix in version 10.3.0. Users running any version up to and including 10.2.0 are strongly recommended to upgrade immediately to mitigate this risk.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply