CVE-2025-58765 is a high-severity Reflected Cross-Site Scripting (XSS) vulnerability identified in wabac.js, a JavaScript library used by the webrecorder project to provide a full web archive replay system leveraging Service Workers. The vulnerability affects versions prior to 2.23.11. Specifically, the issue resides in the 404 error handling logic where the parameter `requestURL`, derived from the original request target, is embedded directly into an inline <script> block without proper sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript code in the victim’s browser context. The exploitation of this vulnerability can lead to theft of sensitive information, session hijacking, or manipulation of the web archive content displayed to the user. The impact scope may be influenced by Cross-Origin Resource Sharing (CORS) policies depending on how wabac.js is deployed, potentially limiting or enabling cross-origin script execution. The vulnerability was publicly disclosed on September 9, 2025, with a CVSS v3.1 base score of 7.1, indicating a high severity level. No known exploits are currently reported in the wild, and the issue is resolved in version 2.23.11 of wabac.js.

For European organizations, the impact of this vulnerability can be significant, especially for entities relying on webrecorder’s wabac.js for archiving or replaying web content, such as digital libraries, research institutions, government archives, and media organizations. Successful exploitation could lead to unauthorized execution of malicious scripts in users’ browsers, potentially compromising user credentials, leaking sensitive archived data, or enabling further attacks such as phishing or malware delivery. Given the nature of web archives, which often contain historical or sensitive information, the integrity and confidentiality of archived data could be undermined. Additionally, the reflected XSS could be used as a vector to target employees or citizens interacting with web archive services, thereby affecting trust and compliance with data protection regulations like GDPR. The availability impact is moderate but could escalate if attackers leverage the vulnerability to disrupt service or inject malicious payloads that degrade system performance or user experience.

European organizations using wabac.js should immediately upgrade to version 2.23.11 or later to apply the official patch that properly sanitizes the `requestURL` parameter. In addition to patching, organizations should implement Content Security Policy (CSP) headers that restrict the execution of inline scripts and limit the sources of executable scripts to trusted domains, thereby reducing the risk of XSS exploitation. Web application firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to inject script payloads into the `requestURL` parameter. Regular security audits and code reviews of web archive implementations should be conducted to identify similar injection points. User education on the risks of clicking suspicious links and monitoring of web server logs for anomalous requests targeting the 404 error handler can provide early detection of exploitation attempts. Finally, organizations should ensure that CORS policies are strictly configured to prevent unauthorized cross-origin script execution related to wabac.js deployments.