A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks.
The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0.
| CVE ID | Description | Severity | Affected Versions |
|---|---|---|---|
| CVE-2025-54057 | Stored XSS vulnerability in Apache SkyWalking | Important | Through 10.2.0 |
Overview of the Vulnerability
The vulnerability is a “Stored XSS” (Cross-Site Scripting) issue. This means an attacker can inject malicious code into a web page, and when other users view it, the code executes in their browsers.
This can lead to various security problems, including the theft of sensitive information like login credentials and personal data.
The vulnerability is due to the improper neutralization of script-related HTML tags in the web page, allowing attackers to inject and store malicious scripts.
The security flaw has been rated as “important” in severity. If exploited, attackers could gain unauthorized access to user accounts, impersonate users, or deface websites.
The potential for data theft is a significant concern for organizations that use Apache SkyWalking to monitor their applications.
Successful exploitation could compromise the entire application and its data.
Apache SkyWalking versions up to and including 10.2.0 are affected by this vulnerability. The SkyWalking development team has already released a patch in version 10.3.0.
All users of Apache SkyWalking are strongly advised to upgrade to this latest version immediately to protect their systems from potential attacks.
Upgrading to the new version is the only way to mitigate the risk posed by this vulnerability.
The vulnerability was discovered and reported by security researcher Vinh Nguyễn Quang. The Apache Software Foundation was notified, and a fix was developed and released.
The disclosure of this vulnerability highlights the importance of the open-source community in identifying and addressing security issues.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.