CVE-2025-2361 Overview
CVE-2025-2361 is a reflected cross-site scripting (XSS) vulnerability in the Mercurial SCM web interface. The flaw affects Mercurial SCM version 4.5.3/71.19.145.211 and allows remote attackers to inject arbitrary script content through the cmd argument. Exploitation requires user interaction, typically by tricking a victim into clicking a crafted URL.
The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation). Public disclosure occurred through VulDB submission 514024, and the vendor did not respond to early notification attempts.
Critical Impact
A remote attacker can execute arbitrary JavaScript in a victim's browser session by manipulating the cmd parameter, enabling session hijacking, credential theft, or repository manipulation via authenticated victims.
Affected Products
- Mercurial SCM version 4.5.3/71.19.145.211
- Mercurial SCM Web Interface component
- Debian LTS distributions bundling the affected Mercurial version
Discovery Timeline
- 2025-03-17 - CVE-2025-2361 published to NVD
- 2025-03-21 - Disclosure posted to the Openwall OSS Security list
- 2025-03 - Debian LTS security advisory issued
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-2361
Vulnerability Analysis
The vulnerability exists in the Mercurial web interface (hgweb) component. The application fails to properly neutralize input supplied via the cmd argument before rendering it in HTTP responses. An attacker who crafts a malicious URL containing script payloads in the cmd parameter can cause the victim's browser to execute the attacker's JavaScript within the origin of the vulnerable Mercurial instance.
The attack is initiated over the network without authentication, but requires the victim to interact with the malicious link. Because the attacker's script runs in the security context of the Mercurial web application, it can access authenticated session cookies, manipulate the Document Object Model (DOM), and issue requests on behalf of the victim.
The issue is categorized as reflected XSS, meaning the injected payload is echoed back in the response rather than persistently stored on the server.
Root Cause
The root cause is missing or insufficient output encoding when the cmd query parameter is reflected into HTML responses generated by the Mercurial web interface. User-controlled input flows directly into the response body without being escaped for the HTML context, violating the input validation and output encoding requirements described by CWE-79.
Attack Vector
An attacker crafts a URL pointing to a targeted hgweb instance with a malicious value for the cmd parameter. The payload contains HTML or JavaScript designed to execute in the victim's browser. The attacker then delivers this URL via phishing email, chat, or a third-party site. When the victim clicks the link, the Mercurial web interface reflects the payload into its response, and the browser executes the injected script.
Because exploitation has been publicly disclosed through the VulDB entry and the Openwall OSS Security post, defenders should assume weaponized proof-of-concept content is available.
Detection Methods for CVE-2025-2361
Indicators of Compromise
- HTTP requests to hgweb endpoints containing script tags, javascript: URIs, or event handler attributes in the cmd query parameter
- Web server access logs showing URL-encoded payloads such as %3Cscript%3E or onerror= in requests to Mercurial URLs
- Referrer headers on Mercurial requests originating from unexpected external domains, indicating link-based delivery
Detection Strategies
- Deploy web application firewall (WAF) rules that flag suspicious characters and script fragments in query parameters targeting hgweb
- Correlate Mercurial web server logs against browser telemetry to identify sessions where reflected content contains executable markup
- Alert on outbound HTTP requests from user browsers to unfamiliar destinations immediately following Mercurial page loads, indicating potential exfiltration by injected scripts
Monitoring Recommendations
- Enable verbose access logging on all Mercurial web-facing hosts and forward logs to a centralized analytics platform for retention and correlation
- Monitor for anomalous authentication events on Mercurial repositories, including unexpected commits, permission changes, or new SSH key additions that could result from session hijacking
- Track browser Content Security Policy (CSP) violation reports if CSP headers are deployed in front of the Mercurial interface
How to Mitigate CVE-2025-2361
Immediate Actions Required
- Apply the Debian LTS security update referenced in the Debian LTS Announcement to any Debian systems running Mercurial
- Restrict access to the Mercurial web interface using network segmentation, VPN gating, or reverse proxy authentication until patches are validated
- Review recent web server logs for evidence of exploitation attempts targeting the cmd parameter
Patch Information
Debian LTS has released updated Mercurial packages addressing this issue. Administrators running Mercurial from source or third-party repositories should upgrade to a version that includes proper output encoding for the cmd parameter in the web interface. Consult the Openwall OSS Security post and the VulDB advisory for version-specific guidance. Because the upstream vendor did not respond to disclosure, distribution-provided patches are the primary remediation source.
Workarounds
- Place the Mercurial web interface behind a reverse proxy configured to strip or sanitize dangerous characters from the cmd query parameter
- Deploy a strict Content Security Policy (CSP) header that disallows inline scripts and untrusted script sources to blunt exploitation of reflected XSS
- Require authentication for all hgweb access and educate users to avoid clicking untrusted Mercurial URLs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

