Scan free
LOWCVE-2025-1553CVSS 3.5

CVE-2025-1553: XSS in pankajindevops scale

Platform

other

Component

scale

Fixed in

3633544.0.1

AI Confidence: mediumNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-1553 describes a cross-site scripting (XSS) vulnerability discovered in pankajindevops scale, impacting versions up to 3633544a00245d3df88b6d13d9b3dd0f411be7f6. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. A patched version, 3633544.0.1, is now available, and users are strongly advised to update.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-1553 allows an attacker to inject arbitrary JavaScript code into the pankajindevops scale application. This can be leveraged to steal user session cookies, redirect users to malicious websites, or modify the content displayed to users. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of user accounts and data. The vulnerability's remote accessibility significantly broadens the attack surface, as it doesn't require local access to the system. The continuous delivery model of pankajindevops scale means that vulnerabilities can be introduced frequently, making proactive monitoring and patching crucial.

Exploitation Context

CVE-2025-1553 has been publicly disclosed, increasing the risk of exploitation. The lack of specific version details for affected and updated releases, coupled with the continuous delivery model, complicates vulnerability management. The exploit is publicly available, making it accessible to a wide range of attackers. The CVSS score is LOW, but the ease of exploitation and potential impact warrant prompt attention. No KEV listing or active exploitation campaigns have been reported as of the publication date.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.14% (34% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentscale
Vendorpankajindevops
Affected rangeFixed in
3633544a00245d3df88b6d13d9b3dd0f411be7f6 – 3633544a00245d3df88b6d13d9b3dd0f411be7f63633544.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-1553 is to upgrade to version 3633544.0.1 or later. Given the continuous delivery model, regularly checking for updates is essential. While a direct patch is available, consider implementing input validation and output encoding on the 'goal' parameter within the /scale/project endpoint as a temporary workaround. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the 'goal' parameter and verifying that it is properly sanitized or blocked.

How to fix

Debido a que no hay una versión fija disponible, se recomienda contactar al proveedor para obtener un parche o una versión actualizada que corrija la vulnerabilidad XSS. Como medida temporal, valide y escape las entradas del usuario en el parámetro 'goal' del archivo /scale/project para prevenir la inyección de código malicioso.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-1553 — XSS in pankajindevops scale?

CVE-2025-1553 is a cross-site scripting (XSS) vulnerability in pankajindevops scale, allowing attackers to inject malicious scripts. It affects versions up to 3633544a00245d3df88b6d13d9b3dd0f411be7f6.

Am I affected by CVE-2025-1553 in pankajindevops scale?

If you are using pankajindevops scale versions prior to 3633544.0.1, you are potentially affected by this XSS vulnerability.

How do I fix CVE-2025-1553 in pankajindevops scale?

Upgrade to version 3633544.0.1 or later to address the vulnerability. Regularly check for updates due to the continuous delivery model.

Is CVE-2025-1553 being actively exploited?

The exploit is publicly available, so active exploitation is possible. Monitor your systems for suspicious activity.

Where can I find the official pankajindevops scale advisory for CVE-2025-1553?

Refer to the pankajindevops scale release notes and security advisories for details on this vulnerability and the corresponding fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs