CVE-2025-6700 Overview
CVE-2025-6700 is a reflected cross-site scripting (XSS) vulnerability in Xuxueli xxl-sso version 1.1.0, a distributed single sign-on framework. The flaw resides in the /xxl-sso-server/login endpoint, where the errorMsg request parameter is reflected into the login response without sufficient output encoding. An unauthenticated remote attacker can craft a malicious URL that executes arbitrary JavaScript in a victim's browser session. The weakness is tracked under CWE-79. Public proof-of-concept material has been disclosed, and the vendor did not respond to the disclosure attempt.
Critical Impact
Attackers can hijack authenticated SSO sessions, steal credentials submitted at the login page, or pivot to any downstream application federated through the xxl-sso server.
Affected Products
- Xuxueli xxl-sso 1.1.0
- Deployments exposing the /xxl-sso-server/login endpoint to untrusted networks
- Downstream applications relying on xxl-sso as an identity provider
Discovery Timeline
- 2025-06-26 - CVE-2025-6700 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6700
Vulnerability Analysis
The vulnerability is a reflected XSS flaw in the login controller of the xxl-sso server. When authentication fails or a redirect occurs, the server includes the errorMsg query parameter in the rendered login page. Because the value is inserted into the HTML response without proper contextual encoding, an attacker-supplied payload containing HTML or JavaScript executes in the browser of any user who follows the crafted link. Exploitation requires user interaction, typically clicking a link delivered through phishing, chat, or a compromised referring site.
Root Cause
The root cause is insufficient output encoding of user-controlled input rendered into an HTML context. The errorMsg parameter is echoed from the request into the login template, but no HTML entity encoding or template auto-escaping is applied. Any characters such as <, >, ", and ' retain their syntactic meaning, allowing script tags or event handlers to break out of the intended text node.
Attack Vector
An attacker constructs a URL of the form https://<victim-sso-host>/xxl-sso-server/login?errorMsg=<payload> and delivers it to a target. When the victim opens the link, the payload runs in the origin of the SSO server. Because xxl-sso mediates authentication for federated applications, the attacker can read session cookies exposed to that origin, capture credentials typed into the login form via a scripted keylogger, or redirect the victim to a phishing page. The attack works remotely without authentication, though it depends on the victim clicking the malicious link.
No verified exploit code is republished here. Technical details are available in the GitHub PoC Report and VulDB entry #313966.
Detection Methods for CVE-2025-6700
Indicators of Compromise
- Web server access logs containing requests to /xxl-sso-server/login with errorMsg values that include <, >, script, onerror, onload, or URL-encoded equivalents such as %3Cscript
- Referrer headers pointing to unfamiliar third-party domains preceding SSO login activity
- Outbound requests from browsers to attacker-controlled hosts immediately after users visit the login page
Detection Strategies
- Deploy web application firewall rules that inspect the errorMsg parameter on the login endpoint for XSS signatures
- Correlate SSO login page hits containing suspicious query strings with subsequent authentication anomalies in downstream applications
- Enable Content Security Policy (CSP) violation reporting to surface inline script execution attempts on the SSO domain
Monitoring Recommendations
- Alert on any GET request to /xxl-sso-server/login where query parameters contain HTML tag characters or JavaScript keywords
- Track spikes in login failures followed by successful authentications from the same source, which may indicate session or credential theft
- Review egress traffic from user endpoints for connections to domains not previously seen in the environment during SSO sessions
How to Mitigate CVE-2025-6700
Immediate Actions Required
- Restrict access to the /xxl-sso-server/login endpoint from untrusted networks where feasible, using network ACLs or a reverse proxy
- Deploy a WAF rule that blocks or sanitizes errorMsg parameter values containing HTML metacharacters
- Enforce a strict Content Security Policy on the SSO server that disallows inline scripts and untrusted script sources
- Notify users of the risk of clicking unsolicited SSO login links and reinforce phishing awareness
Patch Information
As of the last NVD modification date, the vendor has not published a fixed release, and the disclosure notes indicate the vendor did not respond. Organizations should track the VulDB advisory and the upstream xxl-sso project for future updates. Until an official patch is available, apply compensating controls and consider forking the project to apply local HTML encoding on the errorMsg parameter.
Workarounds
- Modify the login template to HTML-encode the errorMsg value before rendering, for example by using the framework's built-in escaping tags rather than raw output
- Remove or ignore the errorMsg query parameter server-side and rely on session-scoped flash messages for authentication errors
- Add HTTP response headers X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, and a restrictive Content-Security-Policy on the SSO server
# Example nginx configuration to block suspicious errorMsg payloads
location /xxl-sso-server/login {
if ($arg_errorMsg ~* "(<|>|script|onerror|onload|javascript:)") {
return 403;
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";
add_header X-Content-Type-Options "nosniff";
proxy_pass http://xxl_sso_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

