Executive Summary

CVE-2025-45806 is a cross-site scripting (XSS) vulnerability found in the rrweb-snapshot package versions before v2.0.0-alpha.18.

The vulnerability arises from the 'rebuild' method in rrweb-snapshot, which does not properly sanitize the snapshot data before reconstructing the DOM during session replay.

This insufficient sanitization allows attackers to inject crafted payloads that can execute arbitrary web scripts or HTML when the recorded session is replayed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of arbitrary scripts within the context of the web application replaying the rrweb snapshot.

Such script execution can result in unauthorized actions, data theft, session hijacking, or other malicious activities depending on the attacker's payload.

Services using rrweb for session replay that do not mitigate this issue may expose their users and systems to these security risks.

A recommended mitigation is to render the reconstructed DOM inside a sandboxed iframe using the HTML 'sandbox' attribute to isolate the replayed content and prevent script execution in the parent context.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability in rrweb-snapshot involves execution of arbitrary web scripts via crafted payloads during DOM reconstruction in session replay. Detection involves identifying usage of vulnerable rrweb-snapshot versions (before v2.0.0-alpha.18) and inspecting replayed session data for unsanitized or suspicious script content.

Since rrweb-snapshot is a JavaScript/TypeScript library used for recording and replaying web sessions, detection on a system or network would focus on verifying the rrweb-snapshot version in use and analyzing session replay implementations.

Suggested commands to detect the vulnerable version or presence of rrweb-snapshot in your project or environment include:

• Check installed rrweb-snapshot version in your project directory (if using npm or yarn): - npm list rrweb-snapshot - yarn list rrweb-snapshot
• Search for rrweb-snapshot usage in your codebase: - grep -r 'rrweb-snapshot' ./
• Inspect network traffic or logs for replayed session data containing suspicious or crafted payloads that might include script tags or unusual HTML content.

No specific detection commands or tools are provided in the available resources, so detection relies on version checking and manual inspection of session replay implementations.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation for this vulnerability is to isolate the replayed DOM content to prevent execution of malicious scripts in the parent context.

Specifically, it is recommended to render the reconstructed DOM inside a sandboxed iframe using the HTML "sandbox" attribute. This approach confines the execution environment and prevents unintended script execution from affecting the main document.

Additionally, verifying and upgrading rrweb-snapshot to a fixed version once available is advised, although at the time of the report no fixed version was released.

Security teams using rrweb have mitigated the risk by modifying their integration to use sandboxed iframes for session replay.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in rrweb-snapshot allows execution of arbitrary web scripts or HTML via crafted payloads during session replay, which can lead to unauthorized script execution and potential data exposure.

Such a security flaw could impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access or disclosure.

If exploited, this vulnerability might enable attackers to access or manipulate sensitive user data recorded in web sessions, thereby violating data protection requirements.

Mitigation strategies, such as sandboxing the replayed content in iframes, are recommended to reduce risk and help maintain compliance.

Useful 0 Not Useful 0