CVE-2025-60002 Overview
CVE-2025-60002 is a stored Cross-Site Scripting (XSS) vulnerability in Juniper Networks Junos Space. The flaw exists in the Template Definitions page, where the application fails to neutralize user-supplied input before rendering it in the browser. Attackers can inject <script> tags that execute when another authenticated user, including administrators, views the affected page. The issue affects all versions of Junos Space before 24.1R4 and is tracked under CWE-79. Juniper published advisory JSA103140 covering the fix.
Critical Impact
Successful exploitation allows attackers to execute arbitrary script in an administrator's browser session, enabling command execution with the target user's permissions on the Junos Space management platform.
Affected Products
- Juniper Networks Junos Space, all versions before 24.1R4
- Juniper Networks Junos Space 24.1R1
- Juniper Networks Junos Space 24.1R2 and 24.1R3
Discovery Timeline
- 2025-10-09 - CVE-2025-60002 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-60002
Vulnerability Analysis
The vulnerability is a stored Cross-Site Scripting flaw classified as [CWE-79], Improper Neutralization of Input During Web Page Generation. Junos Space accepts input into fields of the Template Definitions page without sanitizing or encoding HTML and JavaScript control characters. When a subsequent user loads the page, the browser interprets the injected markup as executable script within the trusted Junos Space origin.
Because Junos Space is a centralized network management platform, an administrator visiting a poisoned template triggers script execution in a highly privileged context. The attacker can issue authenticated requests to the management API on the victim's behalf, alter device configurations, or exfiltrate session data.
Root Cause
The root cause is missing output encoding in the Template Definitions rendering path. User-supplied template metadata is stored server-side and later reflected into HTML without contextual escaping. Any authenticated user with permission to create or modify template definitions can persist the payload.
Attack Vector
Exploitation is network-based and requires user interaction. The attacker submits a crafted template definition containing script content. When another user, such as a Junos Space administrator, opens the Template Definitions page, the injected payload executes with that user's privileges. The attack does not require prior privileged access to trigger execution against a victim, but it does depend on the victim visiting the affected page.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See Juniper Security Advisory JSA103140 for vendor technical details.
Detection Methods for CVE-2025-60002
Indicators of Compromise
- Template Definitions records containing HTML tags such as <script>, <img onerror=>, or javascript: URIs in name, description, or parameter fields.
- Junos Space web session activity originating from administrator accounts making unexpected API calls immediately after loading the Template Definitions page.
- Unexplained configuration changes or new user accounts created shortly after a template definition is viewed by a privileged user.
Detection Strategies
- Query the Junos Space database and audit logs for template definition entries containing angle brackets, event handlers, or encoded script fragments.
- Inspect HTTP access logs for POST and PUT requests to Template Definitions endpoints containing suspicious payloads.
- Correlate administrator browser sessions with subsequent privileged API activity to identify session-riding behavior consistent with XSS abuse.
Monitoring Recommendations
- Enable and centralize Junos Space audit logging, forwarding events to a SIEM for retention and correlation.
- Alert on creation or modification of template definitions by low-privilege accounts followed by administrator page views.
- Monitor for anomalous device configuration pushes initiated from the Junos Space UI that do not match approved change tickets.
How to Mitigate CVE-2025-60002
Immediate Actions Required
- Upgrade Junos Space to version 24.1R4 or later as directed by Juniper advisory JSA103140.
- Review existing Template Definitions and remove any entries containing HTML or script content.
- Restrict access to the Junos Space management interface to trusted administrative networks only.
Patch Information
Juniper Networks resolved the issue in Junos Space 24.1R4. Administrators running any earlier release, including 24.1R1, 24.1R2, and 24.1R3, must upgrade to obtain the fix. Refer to Juniper Security Advisory JSA103140 for the full list of fixed releases and upgrade instructions.
Workarounds
- Limit which users can create or edit Template Definitions to a small set of trusted operators until the upgrade is applied.
- Require administrators to access Junos Space from dedicated management workstations with strict browser isolation.
- Enforce short web session timeouts and re-authentication for administrative actions to reduce the window for session abuse.
# Verify the running Junos Space version before and after patching
ssh admin@<junos-space-host> "show system version"
# Confirm the release reports 24.1R4 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

