CVE-2025-58765 is a high-severity Reflected Cross-Site Scripting (XSS) vulnerability identified in wabac.js, a JavaScript library that provides a full web archive replay system (similar to a 'wayback machine') using Service Workers. The vulnerability affects versions prior to 2.23.11. Specifically, the issue lies in the 404 error handling logic where the parameter `requestURL`, derived from the original request target, is embedded directly into an inline <script> block without proper sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript code in the victim's browser context. The exploitation is reflected, meaning the malicious payload is part of the URL and executed immediately upon visiting the crafted link. The scope of the attack may be limited by Cross-Origin Resource Sharing (CORS) policies depending on how wabac.js is deployed, but in many scenarios, this could lead to theft of sensitive information, session hijacking, or further client-side attacks. The vulnerability does not require authentication but does require user interaction (clicking or visiting the malicious URL). The CVSS 3.1 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, and impacting confidentiality, integrity, and availability to a limited extent. The vulnerability was published on September 9, 2025, and fixed in version 2.23.11 of wabac.js. No known exploits in the wild have been reported yet.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on wabac.js for web archiving or replay functionality in their web applications or digital preservation systems. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to credential theft, session hijacking, defacement, or distribution of malware. This could undermine trust in archival services, lead to data breaches, and cause reputational damage. Since wabac.js is used in web archive replay, organizations such as libraries, research institutions, government archives, and cultural heritage organizations in Europe could be targeted. The reflected XSS could also be leveraged in targeted phishing campaigns against employees or users of these services. The impact on confidentiality and integrity is moderate, but the availability impact is generally low unless the injected scripts perform denial-of-service actions. The vulnerability's exploitation does not require authentication, increasing the risk surface. The presence of CORS policies may limit exploitation in some deployments, but this is not guaranteed. Overall, European organizations using vulnerable versions of wabac.js should consider this a high-risk issue requiring prompt remediation.

1. Immediate upgrade to wabac.js version 2.23.11 or later, where the vulnerability is fixed. 2. If upgrading is not immediately possible, implement input validation and output encoding on the `requestURL` parameter to ensure it is properly sanitized before embedding in any inline scripts. 3. Employ Content Security Policy (CSP) headers that restrict inline script execution and limit the sources from which scripts can be loaded, mitigating the impact of XSS. 4. Review and tighten CORS policies to restrict cross-origin requests and reduce the attack surface. 5. Conduct security testing and code review of any customizations or integrations involving wabac.js to detect similar injection points. 6. Educate users about the risks of clicking on suspicious URLs, especially those related to web archive services. 7. Monitor logs and web traffic for unusual requests or error patterns that might indicate attempted exploitation. 8. Consider implementing web application firewalls (WAF) with rules to detect and block reflected XSS payloads targeting the affected parameter. These steps go beyond generic advice by focusing on specific controls related to wabac.js usage and the nature of the vulnerability.