CVE-2025-58765: 
JavaScript vulnerability analysis and mitigation

CVE-2025-58765 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in wabac.js version 2.23.10 and below, disclosed on September 9, 2025. The vulnerability affects the web archive replay system's 404 error handling logic, where the requestURL parameter is improperly handled (GitHub Advisory).

The vulnerability exists due to the direct embedding of the requestURL parameter (derived from the original request target) into an inline <script> block without proper sanitization or escaping. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

A successful exploitation of this vulnerability allows attackers to craft malicious URLs that can execute arbitrary JavaScript code in the victim's browser. The scope of the attack may be limited by CORS policies, depending on how wabac.js is implemented (GitHub Advisory).

The vulnerability has been fixed in wabac.js version 2.23.11. Users should upgrade to this version or later to address the security issue. The fix involves changing how values are set in generated HTML content, using JSON-encoded strings passed to script tags instead of direct HTML embedding (GitHub Commit).