Webrecorder packages are vulnerable to XSS through 404 error handling logic - replaywebpage

Severity:: High

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping.

Recommendation

Update the replaywebpage package to the latest compatible version. Followings are version details:

Affected version(s): < 2.3.17
Patched version(s): 2.3.17

References

GHSA-w765-jm6w-4hhj
CVE-2025-58765
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation - CVE-2025-53626
Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; replaywebpage

Anything's wrong? Let us know Last updated on September 10, 2025