Webrecorder packages are vulnerable to XSS through 404 error handling logic (GHSA-w765-jm6w-4hhj)
- Severity:
- High
Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping.
Recommendation
Update the replaywebpage package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.17
- Patched version(s): 2.3.17
References
Related Issues
- node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - CVE-2023-36472
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- Tags:
- npm
- replaywebpage
Anything's wrong? Let us know Last updated on September 10, 2025