Webrecorder packages are vulnerable to XSS through 404 error handling logic
- Severity:
- High
Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping.
Recommendation
Update the @webrecorder/archivewebpage package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.15.4
- Patched version(s): 0.15.4
References
Related Issues
- HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit - Vulnerability
- @strapi/plugin-content-manager leaks data via relations via the Admin Panel - CVE-2024-29181
- Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin - Vulnerability
- Strapi does not verify the access or ID tokens issued during the OAuth flow - CVE-2023-22893
- Tags:
- npm
- @webrecorder/archivewebpage
Anything's wrong? Let us know Last updated on September 10, 2025