CVE-2025-54057: Apache SkyWalking has a stored XSS vulnerability

November 27, 2025 (updated December 5, 2025)

There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.

This issue affects Apache SkyWalking versions <= 10.2.0.

Users are recommended to upgrade to version 10.3.0, which fixes the issue. Version 10.3.0 has not been uploaded to the Maven registry at time of publish, please see release notes for download instructions.

References

github.com/advisories/GHSA-v6x2-4q87-rf82
github.com/apache/skywalking
lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr
nvd.nist.gov/vuln/detail/CVE-2025-54057

Code Behaviors & Features

Detect and mitigate CVE-2025-54057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →