CVE-2025-65465 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip software versions 2.17 and earlier. The vulnerability stems from improper sanitization of the filename parameter in error messages generated by the RaiseError function, which is invoked during file operations such as FileRead. When a crafted payload containing malicious JavaScript or HTML is passed via the filename parameter, the error message reflects this input directly back to the user without adequate encoding or filtering, enabling remote attackers to execute arbitrary scripts in the context of the victim’s browser. This reflected XSS can lead to session hijacking, credential theft, or other malicious actions depending on the victim’s environment and browser security settings. The vulnerability does not require authentication but does require user interaction to trigger the reflected payload. The CVSS v3.1 base score is 6.1, reflecting medium severity with low attack complexity, network vector, and no privileges required. The scope is changed (S:C) because the vulnerability affects components beyond the vulnerable function, potentially impacting the broader application context. The issue is resolved in Skrol29 TbsZip version 2.18 by properly sanitizing error message outputs. No public exploit code or widespread exploitation has been reported to date.

The primary impact of CVE-2025-65465 is the potential for remote attackers to execute arbitrary scripts in users’ browsers, leading to confidentiality and integrity breaches. This can result in theft of sensitive information such as session tokens, user credentials, or personal data. Additionally, attackers could perform actions on behalf of the user, such as unauthorized requests or manipulation of displayed content. While the vulnerability does not directly affect system availability, successful exploitation can undermine user trust and lead to reputational damage for affected organizations. Since the vulnerability is in a file handling library, any application or service using vulnerable versions of Skrol29 TbsZip may be at risk, particularly web applications that process user-supplied filenames or display error messages to users. The medium severity score reflects that exploitation requires user interaction and does not lead to full system compromise but still poses a significant risk to web application security and user data privacy.

To mitigate CVE-2025-65465, organizations should immediately upgrade Skrol29 TbsZip to version 2.18 or later, where the vulnerability is fixed. In addition, developers should implement strict input validation on all user-supplied parameters, especially filenames, to reject or sanitize potentially malicious characters before processing. Employing robust output encoding techniques (e.g., HTML entity encoding) when displaying error messages or any user input in the UI is critical to prevent script injection. Web application firewalls (WAFs) can be configured to detect and block common XSS attack patterns targeting this vulnerability. Security teams should audit applications that use the affected library to identify any exposure through error handling or file operations. Finally, educating users to avoid clicking suspicious links or opening untrusted files can reduce the risk of exploitation requiring user interaction.