Reflected Cross-Site Scripting Vulnerability in wabac.js by Webrecorder
CVE-2025-58765

7.1HIGH

Key Information:

Vendor

Webrecorder

Status
Wabac.js
Vendor
CVE Published:
9 September 2025

What is CVE-2025-58765?

The wabac.js library, which facilitates a web archive replay system using Service Workers, contains a vulnerability in its 404 error handling logic. Specifically, in versions 2.23.10 and earlier, the 'requestURL' parameter is directly inserted into an inline script without proper sanitization. This flaw permits attackers to create malicious URLs capable of executing arbitrary JavaScript in the user’s browser, posing significant security threats depending on the implementation of CORS policies. Users are advised to update to version 2.23.11 to mitigate this risk.

Affected Version(s)

wabac.js < 2.23.11

References

https://github.com/webrecorder/wabac.js/security/advisori...
x_refsource_CONFIRM
https://github.com/webrecorder/wabac.js/commit/25feb4a5af...
x_refsource_MISC
https://github.com/webrecorder/wabac.js/releases/tag/v2.2...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58765 : Reflected Cross-Site Scripting Vulnerability in wabac.js by Webrecorder