Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Unauthenticated injection via public project key (PR:N) over the network, but a dashboard operator must view the session (UI:R); XSS crosses from SDK into dashboard origin (S:C) enabling JWT theft and account takeover (C:H/I:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated dashboard through TextEllipsis and the event-details modal, allowing an unauthenticated attacker to store script that executes in the dashboard origin, reads the session JWT from localStorage, and takes over a dashboard account. This issue is fixed in version 1.25.0.
AnalysisAI
Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker possess a valid public project key for a target OpenReplay instance running an affected version (1.24.0 to before 1.25.0) - this key is client-side and effectively public, so it is a low bar rather than a real authentication barrier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly aligned toward a genuine high priority but with meaningful caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains a target deployment's public project key (embedded client-side in any site running the OpenReplay SDK) submits crafted custom event names or page URLs containing a script payload, which is stored unescaped in ClickHouse. When a legitimate authenticated operator later opens that session in the dashboard and the value renders through TextEllipsis or the event-details modal, the script executes in the dashboard origin, reads the session JWT from localStorage, and exfiltrates it to take over the operator's account. … |
| Remediation | Vendor-released patch: 1.25.0 - upgrade all OpenReplay components to v1.25.0 (release https://github.com/openreplay/openreplay/releases/tag/v1.25.0), which introduces output encoding in the affected rendering paths; the corresponding fix commit is ec41f4425a99c478a4418adbd2f094ab6a8b0daf and the advisory is GHSA-3mfc-7hf4-jfxh. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenReplay deployments and identify instances running versions 1.24.0 through 1.24.x; restrict dashboard access to essential personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openreplay
View allSQL injection in OpenReplay session replay before 1.20.0.
OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploita
Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x)
Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper w
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate a
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43030