CVE-2025-45806 Overview
A cross-site scripting (XSS) vulnerability has been identified in rrweb-snapshot, a JavaScript library used for recording and replaying web page DOM snapshots. This vulnerability exists in versions prior to v2.0.0-alpha.18 and allows attackers to execute arbitrary web scripts or HTML via a crafted payload. The rrweb library is widely used for session recording, debugging, and user behavior analysis, making this vulnerability particularly concerning for organizations utilizing these capabilities.
Critical Impact
Attackers can inject malicious scripts that execute in the context of victims' browsers, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of authenticated users.
Affected Products
- rrweb-snapshot versions prior to v2.0.0-alpha.18
- Applications integrating vulnerable rrweb-snapshot package
- Web applications using rrweb for session replay functionality
Discovery Timeline
- 2026-04-09 - CVE-2025-45806 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-45806
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw resides in the rrweb-snapshot package's handling of DOM snapshot data during the replay process.
When rrweb-snapshot processes recorded DOM events for replay, it fails to properly sanitize certain input payloads. This allows an attacker to craft malicious content that, when replayed, executes arbitrary JavaScript code in the context of the viewing application. The attack requires user interaction, as the victim must view or replay a session containing the malicious payload.
The vulnerability affects applications that replay recorded sessions without additional sanitization layers, potentially exposing users who view replayed sessions to script injection attacks.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and output encoding within the rrweb-snapshot library. When capturing and reconstructing DOM elements during the replay process, the library does not adequately sanitize special characters or HTML entities that could be interpreted as executable code. This allows crafted payloads embedded within recorded session data to bypass security controls and execute in the browser context during replay.
Attack Vector
The attack is network-based and requires an attacker to inject a specially crafted payload into a recorded session. This could occur through various means:
- An attacker with access to the recording mechanism could inject malicious content
- A compromised recording endpoint could be used to store malicious session data
- Man-in-the-middle attacks could modify session data in transit
When a victim views or replays the poisoned session through an application using the vulnerable rrweb-snapshot library, the malicious script executes in their browser context. This could lead to session token theft, keylogging, phishing overlays, or other client-side attacks.
For technical details on the vulnerability mechanism, refer to the GitHub Issue Discussion.
Detection Methods for CVE-2025-45806
Indicators of Compromise
- Unusual JavaScript execution patterns during rrweb session replay
- Unexpected network requests originating from replay components
- User reports of suspicious behavior when viewing recorded sessions
- Detection of script injection patterns in stored session data
Detection Strategies
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Monitor application logs for XSS-related error messages or blocked script attempts
- Deploy web application firewalls (WAF) with XSS detection signatures
- Perform regular code scanning to identify vulnerable rrweb-snapshot versions in dependencies
Monitoring Recommendations
- Enable browser console logging during session replays to detect script injection attempts
- Implement real-time monitoring of outbound network connections from replay components
- Set up alerts for unexpected DOM modifications during session playback
- Review stored session data periodically for malicious payload patterns
How to Mitigate CVE-2025-45806
Immediate Actions Required
- Update rrweb-snapshot to version v2.0.0-alpha.18 or later immediately
- Audit all applications using rrweb-snapshot to identify vulnerable instances
- Review stored session data for potential malicious payloads
- Implement additional input sanitization layers before session replay
Patch Information
The vulnerability has been addressed in rrweb-snapshot version v2.0.0-alpha.18. Organizations should update to this version or later to remediate the vulnerability. Additional information can be found in the rrweb GitHub repository and the rrweb-snapshot package documentation.
Workarounds
- Implement strict Content Security Policy (CSP) headers to mitigate script execution
- Add server-side sanitization of recorded session data before storage
- Restrict access to session replay functionality to trusted users only
- Consider disabling session replay features until the patch can be applied
# Update rrweb-snapshot to patched version
npm update rrweb-snapshot@^2.0.0-alpha.18
# Verify installed version
npm list rrweb-snapshot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
