CVE-2025-67712 in ArcGIS Web AppBuilder Developer Edition
Summary
by MITRE • 12/19/2025
There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/22/2025
The vulnerability identified as CVE-2025-67712 represents an HTML injection flaw within Esri ArcGIS Web AppBuilder developer edition software versions prior to 2.30. This security weakness resides in the application's handling of user-provided input that gets rendered within HTML contexts without proper sanitization or encoding mechanisms. The vulnerability specifically manifests when the application processes external links or user-supplied content that contains HTML markup, creating an avenue for malicious actors to inject arbitrary HTML elements into the victim's browsing session.
The technical nature of this flaw aligns with CWE-79, which categorizes Cross-Site Scripting (XSS) vulnerabilities that occur when applications fail to properly validate or sanitize input before rendering it in web pages. In this case, while the vulnerability does not permit JavaScript execution, the HTML injection capability still presents significant security implications for user sessions. Attackers could potentially leverage this weakness to manipulate page content, inject malicious HTML elements, or create misleading interfaces that could deceive users into performing unintended actions. The vulnerability operates through a classic server-side HTML injection vector where user-controllable data flows directly into HTML output without appropriate context-aware encoding.
The operational impact of this vulnerability extends beyond simple content manipulation, as it creates opportunities for social engineering attacks and user deception. When a victim clicks on a maliciously crafted link, the injected HTML content renders in their browser session, potentially altering the appearance of legitimate application interfaces or displaying misleading information. This could lead to credential theft through phishing attempts, unauthorized data disclosure, or other malicious activities that exploit user trust in the application environment. The lack of JavaScript execution capability does not eliminate the threat, as HTML injection can still be leveraged for various forms of user manipulation and interface tampering that compromise security and user experience.
The mitigation strategy for this vulnerability involves upgrading to ArcGIS Web AppBuilder version 2.30 or later, which contains the necessary patches to address the HTML injection flaw. Organizations should also implement proper input validation and output encoding mechanisms to prevent similar vulnerabilities in custom applications built on this platform. Given that the developer edition is retired and unsupported, organizations should consider migrating to supported Esri products and implementing comprehensive web application security controls including content security policies and proper HTML sanitization libraries. The vulnerability demonstrates the importance of maintaining up-to-date software versions and the risks associated with using unsupported legacy systems that no longer receive security updates or patches.