CVE-2025-31325 Overview
CVE-2025-31325 is a reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver's ABAP Keyword Documentation component. An unauthenticated remote attacker can inject malicious JavaScript into a web page through an unprotected parameter. When a victim loads the crafted URL, the script executes in the browser session, exposing limited confidential information rendered on the page.
The issue is tracked under [CWE-79] and carries a CVSS 3.1 base score of 5.8. The scope is changed because the injected script executes outside the vulnerable component's security context. Data integrity and availability are not impacted.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in a victim's browser to disclose limited restricted information from the SAP NetWeaver documentation interface.
Affected Products
- SAP NetWeaver (ABAP Keyword Documentation component)
- Refer to SAP Note #3590887 for the affected Support Package versions
- Refer to the SAP Security Patch Day Announcement for the June 2025 patch cycle
Discovery Timeline
- 2025-06-10 - CVE-2025-31325 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-31325
Vulnerability Analysis
The vulnerability resides in the ABAP Keyword Documentation web interface of SAP NetWeaver. This component serves language reference material through HTTP endpoints. It accepts one or more request parameters that are reflected back into the rendered HTML response without adequate output encoding or input sanitization.
Because the endpoint is reachable without authentication, an attacker only needs to craft a URL containing a JavaScript payload and deliver it to a target. When the victim opens the link, the browser parses the attacker-controlled content as executable script within the origin serving the documentation page.
The CVSS vector specifies a changed scope, indicating the injected script can act beyond the vulnerable component. This enables read access to session artifacts or DOM content available to the victim's browser at that origin. The EPSS probability is 0.268% (percentile 18.454), reflecting a low observed exploitation trend.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The affected handler concatenates untrusted request parameters into HTML output without contextual escaping. Standard mitigations such as HTML entity encoding, Content Security Policy, or parameter allow-listing are absent for the affected parameter.
Attack Vector
The attack vector is network-based and requires no user privileges. Exploitation follows the classic reflected XSS pattern: an attacker crafts a URL pointing to the ABAP Keyword Documentation endpoint with a JavaScript payload placed in the vulnerable parameter. The attacker then distributes the link via phishing, chat, or an embedded iframe on a controlled site. When a legitimate user with browser access to the SAP NetWeaver host clicks the link, the payload executes in that user's browser context.
See SAP Note #3590887 for authoritative technical details.
Detection Methods for CVE-2025-31325
Indicators of Compromise
- HTTP GET or POST requests to ABAP Keyword Documentation URLs containing script tags, javascript: URIs, or encoded payloads such as %3Cscript%3E in query parameters.
- Web server access logs showing anomalous referrers or externally originated links pointing to the documentation endpoint.
- Browser console errors or content security policy violations tied to the SAP NetWeaver origin.
Detection Strategies
- Inspect SAP NetWeaver ICM and web dispatcher logs for suspicious query strings targeting ABAP documentation paths.
- Deploy Web Application Firewall (WAF) rules that flag reflected XSS payload signatures against the affected endpoint.
- Correlate outbound traffic from user endpoints to attacker-controlled domains immediately following documentation page visits.
Monitoring Recommendations
- Enable detailed HTTP logging on SAP NetWeaver application servers and forward logs to a centralized analytics platform.
- Alert on repeated 4xx or 5xx responses from the documentation component that include encoded script fragments.
- Monitor SAP user sessions for unusual client-side activity, such as unexpected API calls sourced from documentation pages.
How to Mitigate CVE-2025-31325
Immediate Actions Required
- Apply the SAP patch referenced in SAP Note #3590887 to all affected SAP NetWeaver systems.
- Restrict network exposure of the ABAP Keyword Documentation endpoint to trusted internal users where feasible.
- Notify SAP users of active phishing risks that leverage crafted documentation URLs.
Patch Information
SAP addressed CVE-2025-31325 in the June 2025 Security Patch Day cycle. Administrators should consult SAP Note #3590887 for the specific Support Package Stack and kernel levels required for remediation. Deployment guidance is available in the SAP Security Patch Day Announcement.
Workarounds
- Disable or block access to the ABAP Keyword Documentation service on production systems until patches are applied.
- Deploy a WAF policy that rejects requests containing script tags, event handlers, or encoded JavaScript in documentation parameters.
- Enforce a strict Content Security Policy on SAP NetWeaver responses to limit inline script execution.
- Train users to avoid clicking untrusted links that resolve to internal SAP hostnames.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

