# Bug report: XSS vulnerability due to unescaped value in Show_Base64_offsets recipe #2344 ## Vulnerability Overview An XSS vulnerability exists in the `Show_Base64_offsets` recipe of CyberChef. This vulnerability arises because the `staticSection` (output from `toBase64` and containing a user-controlled alphabet) is not escaped in `ShowBase64Offsets.mjs` at lines 98, 128, and 158. When `showVariable` is `false`, the raw Base64 output is returned as HTML without escaping. Combined with an explicit `eval()` call (in `OutputWriter.mjs` at line 373), this allows arbitrary JavaScript execution via a crafted URL. ## Scope - **Affected Versions**: CyberChef 10.24.0 and later - **Affected Recipe**: `Show_Base64_offsets` - **Trigger Conditions**: User-controlled alphabet input with `showVariable` set to `false` ## Remediation - **Status**: Fixed - **Fix Commit**: `fixShowBase64Offsets: escape staticSection on showVariable=false (#2344)` - **Recommendation**: The `staticSection` should be escaped using `Utils.escapeHtml()` before being included in the HTML output. ## POC Code ```javascript https://gchq.github.io/CyberChef/#recipe=Show_Base64_offsets(%27Script%27%3Ealert(1)%27)ABCDEF0GHIJKLMNOPQRSTUVWXYZ0123456789+/&input=Zm9vYmFyYmF6 ```