CVE-2025-62613 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the vdo.ninja application, a tool that integrates remote video feeds into broadcasting software like OBS via WebRTC. The vulnerability exists in versions 28.0 through 28.3 inclusive, specifically in the examples/control.html page where the 'room' URL parameter is improperly sanitized before being rendered in the Document Object Model (DOM). This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL containing executable JavaScript code within the 'room' parameter. When a victim accesses this URL, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 6.9 reflects a medium severity, considering the ease of exploitation and the potential impact on confidentiality and integrity. The issue was publicly disclosed on October 22, 2025, and has been patched in version 28.4 of vdo.ninja. No known exploits in the wild have been reported to date. The vulnerability highlights the importance of proper input validation and encoding in web applications, especially those handling real-time communications and media streaming.

For European organizations, especially those in media production, broadcasting, and live streaming sectors, this vulnerability poses a tangible risk. Exploitation could allow attackers to execute arbitrary scripts in the context of the vulnerable web application, leading to session hijacking, theft of sensitive information, or manipulation of video feeds and control interfaces. This could disrupt live broadcasts, compromise user privacy, and damage organizational reputation. Given the use of vdo.ninja in professional and semi-professional streaming environments, the impact extends to content integrity and availability. Furthermore, attackers could leverage this vulnerability as a foothold for further attacks within the network if the compromised browser session has elevated privileges or access to internal resources. The absence of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of successful attacks if unpatched systems are exposed to the internet or accessed by untrusted users.

The primary mitigation is to upgrade all instances of vdo.ninja to version 28.4 or later, where the vulnerability has been patched. Organizations should audit their deployment environments to identify any usage of affected versions. Additionally, implement strict input validation and output encoding on all user-controllable parameters, especially those reflected in the DOM. Employ Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Network segmentation and access controls should limit exposure of the application to trusted users only. Monitoring and logging of web application access can help detect suspicious activity related to exploitation attempts. Educate users and administrators about the risks of clicking on untrusted links containing URL parameters. Finally, consider using web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting the 'room' parameter.