CVE-2025-62613 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the vdo.ninja application, a tool that integrates remote video feeds into broadcasting software via WebRTC. Specifically, the vulnerability exists in versions 28.0 through 28.3 inclusive, within the examples/control.html page. The flaw arises because the 'room' URL parameter is not properly sanitized or encoded before being inserted into the Document Object Model (DOM). This improper neutralization of input (classified under CWE-79) allows an attacker to craft a malicious URL containing executable JavaScript code. When a victim accesses this URL, the injected script executes in their browser context, potentially compromising confidentiality and integrity by stealing cookies, session tokens, or performing unauthorized actions. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, reflecting a medium severity due to network attack vector, low complexity, and no privileges or user interaction needed. The vulnerability has been addressed and fixed in vdo.ninja version 28.4. No public exploits have been reported to date, but the flaw remains a significant risk for users of affected versions.

For European organizations, the impact of this vulnerability can be significant, especially for those in media production, broadcasting, and remote collaboration sectors that rely on vdo.ninja for integrating remote video feeds into studio software like OBS. Successful exploitation could lead to session hijacking, unauthorized command execution within the victim's browser, or delivery of further malware payloads. This could compromise sensitive broadcast content, disrupt live productions, or lead to reputational damage. Given the vulnerability requires no authentication or user interaction, attackers could easily target employees or collaborators via phishing or malicious links. The reflected XSS could also be used as a stepping stone for more advanced attacks within internal networks if combined with other vulnerabilities. While no known exploits are currently active, the medium severity rating and ease of exploitation warrant prompt remediation to prevent potential data breaches or operational disruptions.

European organizations using vdo.ninja should immediately upgrade to version 28.4 or later, where the vulnerability is patched. Until upgrade is possible, organizations should implement strict input validation and output encoding on any user-supplied data, especially URL parameters like 'room'. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Additionally, monitor web server logs for suspicious requests containing unusual or encoded script payloads targeting the 'room' parameter. Educate users and administrators about the risks of clicking untrusted links and implement web filtering to block known malicious URLs. For organizations embedding vdo.ninja in internal tools, consider isolating the application in sandboxed environments or using web application firewalls (WAFs) with rules to detect and block reflected XSS attempts. Regularly review and update all third-party components to ensure vulnerabilities are promptly addressed.