プラットフォーム
php
コンポーネント
geshi/geshi
修正版
1.0.10
1.0.10
1.0.10
A problematic cross-site scripting (XSS) vulnerability has been identified in GeSHi, a syntax highlighting library, affecting versions up to 1.0.9.1. This vulnerability resides within the CSS Handler component, specifically the get_var function in the /contrib/cssgen.php file. Attackers can exploit this flaw by manipulating the default-styles argument, potentially leading to malicious script execution within a user's browser.
Successful exploitation of CVE-2025-2123 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to a variety of malicious outcomes, including session hijacking, credential theft, and defacement of the web application. The vulnerability's remote accessibility significantly broadens its potential impact, as attackers do not require local access to exploit it. The impact is amplified if the affected GeSHi instance is integrated into a widely used application, potentially exposing a large number of users to risk.
This vulnerability was publicly disclosed on March 9, 2025. While the CVSS score is LOW (3.5), the ease of exploitation and potential impact warrant prompt attention. No known active campaigns targeting this vulnerability have been reported at the time of writing, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature and public disclosure.
Web applications that utilize GeSHi for syntax highlighting, particularly those with user-supplied content or untrusted input, are at risk. Shared hosting environments where multiple applications share the same GeSHi installation are also vulnerable, as a compromise in one application could potentially impact others.
• php: Examine web server access logs for requests containing suspicious default-styles parameters with deeply nested directory structures or unusual characters.
grep 'default-styles/.*' /var/log/apache2/access.log• generic web: Use curl to test the affected endpoint with a crafted default-styles parameter and observe the response for signs of JavaScript execution.
curl 'http://example.com/geshi/?file=test.txt&default-styles/a/b/c/d/e=alert("XSS")'• generic web: Inspect the HTML source code of pages using GeSHi for injected JavaScript code. Look for unexpected <script> tags or event handlers.
disclosure
エクスプロイト状況
EPSS
0.09% (26% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-2123 is to upgrade GeSHi to version 1.0.10 or later, which contains the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing input validation and sanitization on the default-styles parameter to prevent the injection of malicious code. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the default-styles parameter and confirming that it is properly sanitized.
Actualice GeSHi a una versión posterior a 1.0.9.1, si existe, que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo cssgen.php. Si no hay una versión disponible, considere deshabilitar o eliminar el componente CSS Handler hasta que se publique una solución. Como medida temporal, puede implementar validación y sanitización de entradas en el parámetro 'default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments' para mitigar el riesgo de XSS.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-2123 is a cross-site scripting (XSS) vulnerability affecting GeSHi versions up to 1.0.9.1, allowing attackers to inject malicious scripts via the default-styles parameter in the CSS Handler component.
You are affected if you are using GeSHi version 1.0.9.1 or earlier. Check your GeSHi installation version and upgrade if necessary.
Upgrade GeSHi to version 1.0.10 or later to resolve this vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
No active exploitation campaigns have been publicly reported at this time, but the vulnerability is publicly disclosed and may be targeted in the future.
Refer to the GeSHi project's official website or security mailing list for the latest advisory and updates regarding CVE-2025-2123.