CVE-2025-67712

Vulnerability

Overview

CVE-2025-67712 is an HTML injection vulnerability in Esri ArcGIS Web AppBuilder Developer Edition versions prior to 2.30. The root cause lies in the config parameter (e.g., ?config=map_configuration.json), which fails to sanitize HTML tags before injecting them into the Document Object Model (DOM) [1]. A remote, unauthenticated attacker can craft a malicious URL that, when clicked by a victim, causes arbitrary HTML to render within the trusted application domain [1].

Exploitation

Conditions

Exploitation requires no authentication and can be performed over the network. The attacker entices a user to click a crafted URL that includes an HTML payload in the vulnerable parameter [1]. While the vulnerability does not support JavaScript execution (it is not a stored or reflected XSS), it enables high-quality phishing and defacement attacks by injecting arbitrary HTML content into the application's context [1].

Impact and

Severity

The impact is limited by the inability to execute JavaScript, but the ability to inject HTML allows attackers to create convincing phishing forms or deface web content. The CVSS v3 base score is 4.7 (Medium) [1]. Esri has stated that ArcGIS Web AppBuilder 2.30 is not affected [2].

Mitigation

Status

ArcGIS Web AppBuilder Developer Edition was retired in July 2024 and is now unsupported [2]. No official patch will be provided for versions earlier than 2.30. Users are strongly encouraged to migrate to ArcGIS Experience Builder, the recommended replacement [2]. Administrators still running legacy deployments should implement strict input validation for the config parameter and consider web application firewall rules to block malicious HTML payloads [1].