Mercurial 6.9.4 tagged (CVE-2025-2361)
Pierre-Yves David
pierre-yves.david at octobus.net
Wed Mar 19 15:16:31 UTC 2025
This is an out of schedule security release
Please update your package builds, thanks.
This fixes a XSS vulnerability in hgweb, were an attacker could forge a link that would execute javascript in the target browser.
In practice in production setup, such injection might be caught by the wsgi layer.
For example the popular mode_wsgi would catch such injection and return a 500 instead:
https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75
Thanks goes to Julien Cristau for noticing that such mitigation existed.
--
Pierre-Yves David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20250319/216e5da9/attachment.htm>
More information about the Mercurial-packaging
mailing list