CVE-2025-47049 Overview
CVE-2025-47049 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier, including AEM Cloud Service deployments. The flaw allows an attacker to manipulate the Document Object Model (DOM) to execute arbitrary JavaScript in the context of a victim's browser session. Exploitation requires user interaction, specifically the victim visiting a specially crafted URL or web page. Successful exploitation can result in session token theft, unauthorized actions performed as the victim, or delivery of secondary payloads. The issue is tracked under [CWE-79] and was published in Adobe Security Bulletin APSB25-48.
Critical Impact
An attacker can execute JavaScript in the victim's browser to steal session data or perform unauthorized actions within Adobe Experience Manager.
Affected Products
- Adobe Experience Manager versions 6.5.22 and earlier (on-premise)
- Adobe Experience Manager Cloud Service (AEM CS)
- All AEM deployments exposing the vulnerable client-side component
Discovery Timeline
- 2025-06-10 - CVE-2025-47049 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-47049
Vulnerability Analysis
The vulnerability is a DOM-based XSS flaw within Adobe Experience Manager's client-side JavaScript. DOM-based XSS occurs when untrusted data flows from a source such as location.hash, document.URL, or window.name into a dangerous sink like innerHTML, document.write, or eval without proper sanitization. In this case, AEM processes attacker-controlled input on the client and renders it into the page without adequate encoding. The attack executes entirely within the browser and does not require the payload to reach the server, which limits the effectiveness of server-side web application firewall rules. Because the scope is changed (S:C), the injected script can affect resources beyond the vulnerable component's origin, such as the AEM author console.
Root Cause
The root cause is improper neutralization of input during web page generation on the client side [CWE-79]. AEM client-side code takes data derived from the URL or other browser-controlled sources and inserts it into the DOM using an unsafe sink. Without encoding or a strict Content Security Policy, the browser interprets attacker-supplied markup as executable JavaScript.
Attack Vector
Exploitation is network-based and requires user interaction. The attacker crafts a URL containing a malicious payload in a fragment or query parameter and delivers it via phishing email, malicious link, or a compromised site. When the victim, typically an authenticated AEM author or administrator, opens the link, the payload executes in their browser. The attacker can then exfiltrate the AEM session cookie, submit content changes, or pivot to internal AEM APIs accessible to the victim.
// No verified public proof-of-concept is available for CVE-2025-47049.
// Refer to Adobe Security Bulletin APSB25-48 for vendor-provided technical details.
Detection Methods for CVE-2025-47049
Indicators of Compromise
- Unexpected outbound requests from AEM author sessions to attacker-controlled domains carrying cookies or form data
- AEM access logs showing referrers from unfamiliar external URLs immediately before privileged content changes
- Browser console errors or content modifications originating from unusual URL fragments containing <script>, javascript:, or encoded HTML
Detection Strategies
- Inspect web proxy and Content Security Policy (CSP) violation reports for script execution on AEM author domains
- Correlate AEM audit logs with authentication events to identify session activity performed shortly after clicking external links
- Deploy DOM XSS scanners against AEM author and publish tiers to identify vulnerable sinks in current builds
Monitoring Recommendations
- Monitor AEM access.log and dispatcher logs for suspicious query strings and fragment payloads targeting known AEM client scripts
- Alert on any AEM administrative API calls originating from browser sessions with anomalous referrers
- Enable and centralize browser CSP violation reporting for AEM origins to surface DOM-based script injection attempts
How to Mitigate CVE-2025-47049
Immediate Actions Required
- Upgrade Adobe Experience Manager on-premise deployments to a version later than 6.5.22 as directed in Adobe Security Bulletin APSB25-48
- Confirm AEM Cloud Service instances are running the current release, since Adobe pushes fixes to AEM CS automatically
- Instruct AEM authors and administrators to avoid clicking untrusted links while authenticated to the platform
Patch Information
Adobe released fixed builds addressed in Adobe Security Bulletin APSB25-48. Administrators should apply the AEM 6.5 Service Pack referenced in that bulletin. AEM Cloud Service customers receive the fix through the standard update channel and should verify their instance is running the patched release.
Workarounds
- Deploy a strict Content Security Policy on AEM author and publish origins that disallows inline scripts and restricts script sources
- Restrict AEM author instance access to trusted networks or VPN to limit exposure to phishing-delivered exploits
- Configure the AEM Dispatcher to filter suspicious query parameters and fragments containing script-like payloads until patching is complete
# Example Content-Security-Policy header for AEM author
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; report-uri /csp-report
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

