CVE-2025-4022

Name of the Vulnerable Software and Affected Versions web-arena-x webarena versions up to 0.2.0

Description A critical issue has been found, affecting the function HTMLContentEvaluator of the file webarena/evaluation harness/evaluators.py. The manipulation of the argument target["url"] leads to code injection. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used.

Recommendations For versions up to 0.2.0, as a temporary workaround, consider disabling the HTMLContentEvaluator function until a patch is available. Restrict access to the evaluators.py file to minimize the risk of exploitation. Avoid using the target["url"] argument in the affected function until the issue is resolved.