CVE-2025-11449 PoC — Reflected Cross Site Scripting in ServiceNow AI Platform

Source

https://github.com/DanielMadsenDK/ServiceNow-CVE-2025-11449-CVE-2025-11450-Mitigation-Script

Associated Vulnerability

Title:Reflected Cross Site Scripting in ServiceNow AI Platform (CVE-2025-11449)
Description:ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.

Description

This script automatically detects and remediates **CVE-2025-11449** and **CVE-2025-11450** security vulnerabilities in ServiceNow UI Macros. These critical vulnerabilities could allow arbitrary code execution in users' browsers through specially crafted links if user-controlled `sysparm_` parameters are not properly sanitized.

Readme

# ServiceNow CVE-2025-11449 & CVE-2025-11450 Mitigation Script

## Overview

This script automatically detects and remediates **CVE-2025-11449** and **CVE-2025-11450** security vulnerabilities in ServiceNow UI Macros. These vulnerabilities could allow arbitrary code execution in users' browsers through specially crafted links if user-controlled `sysparm_` parameters are not properly sanitized.

## Affected UI Macros

- `$pwd_verify_email`
- `$pwd_verify_personal_data_ui`

## What This Script Does

The script performs two key security fixes:

### 1. **Outside `<g:evaluate>` Blocks**: Adds proper encoding
Replaces vulnerable patterns with properly encoded versions:
- `${sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`
- `${HTML:sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`
- `${JS:sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`

### 2. **Inside `<g:evaluate>` Blocks**: Uses Jelly variable references
Replaces string interpolation with safe Jelly object references:
- `"${sysparm_<XYZ>}"` → `jelly.sysparm_<XYZ>` (removes quotes!)
- `${HTML:sysparm_<XYZ>}` → `jelly.sysparm_<XYZ>`
- Even `${JS,HTML:sysparm_<XYZ>}` → `jelly.sysparm_<XYZ>` (still unsafe inside `<g:evaluate>`)

## Usage

### Prerequisites
- ServiceNow instance with admin access
- Access to Scripts - Background module

### Instructions

1. **Backup First!** 
   ```javascript
   // Export your current UI Macros before running this script
   // Navigate to: System UI > UI Macros
   // Export: $pwd_verify_email and $pwd_verify_personal_data_ui
   ```

2. **Run the Detection Script**
   - Navigate to **System Definition > Scripts - Background**
   - Copy and paste the script from `CVE_2025_11449_fix.js`
   - Click **Run script**

3. **Review the Output**
   - The script will log all vulnerabilities found
   - Review the "Suggested Cured XML" output
   - Verify the changes are appropriate for your environment

4. **Apply the Fix**
   - **Manual Application (Recommended)**: Copy the cured XML and manually update the UI Macro

5. **Test Thoroughly**
   - Test password reset flows
   - Verify email verification processes
   - Ensure no functionality is broken

## Example Output

```
AFFECTED Macro: $pwd_verify_personal_data_ui (sys_id: abc123...) [ACTIVE - HIGH PRIORITY]
Found 8 vulnerable sysparm_ pattern(s) outside <g:evaluate>:
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  ... and 3 more
Found 1 vulnerable sysparm_ pattern(s) inside <g:evaluate>:
  - "${sysparm_verification_id}"

Suggested Cured XML:
[Fixed XML output here]
---
```

### Customize for Other Macros

To check additional UI Macros, modify line 3:

```javascript
var macrosToCheck = ['$pwd_verify_email', '$pwd_verify_personal_data_ui', 'your_custom_macro'];
```

## Security Impact

**CRITICAL**: These vulnerabilities allow Cross-Site Scripting (XSS) attacks that could:
- Execute arbitrary JavaScript in user browsers
- Steal session tokens and credentials
- Perform actions on behalf of authenticated users
- Compromise password reset flows

## Contributing

Found an issue or have an improvement? Please:
1. Open an issue with details
2. Submit a pull request with test cases
3. Report false positives/negatives

## References
- [ServiceNow Security Advisory - CVE-2025-11449 and CVE-2025-11450](https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2555298)
- [Jelly escaping ServiceNow documentation](https://www.servicenow.com/docs/csh?topicname=r_JellyEscapingTypes.html))

## License

MIT License - Feel free to use, modify, and distribute.

## Disclaimer

**Use at your own risk!** Always:
- Test in a sub-production environment first
- Back up your UI Macros before applying changes
- Review the generated XML manually
- Understand the security implications

This script is provided as-is without warranty. The author is not responsible for any damage or issues caused by its use.

## Author

The script was generated by [ServiceNow Helper](https://github.com/DanielMadsenDK/servicenow-helper) by Daniel Aagren Seehartrai Madsen 

Created to help the ServiceNow community address critical security vulnerabilities quickly and safely.

## Changelog

### v1.0.0 (2025-10-10)
- Initial release

---

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!