CVE-2025-58765 HIGH

CVE-2025-58765: wabac.js has XSS vulnerability in 404 error handling logic

Vendor Webrecorder
Product wabac.js
Weakness CWE-79 · XSS
Published September 9, 2025
Last update September 10, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

wabac.js provides a full web archive replay system, or 'wayback machine', using Service Workers. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. The vulnerability is fixed in wabac.js v2.23.11.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
September 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-40656 Extension - plasma-web.ru - Reflected XSS in Quickform component for Joomla 1.0.0-3.3.01 CVE-2024-11869 Buk for WordPress <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-29936 WordPress Image Hover Effects – Elementor Addon plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability CVE-2015-4582 CVE-2025-11818 WP Responsive Meet The Team <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode