CVE-2025-69771
Published: 25 February 2026
Summary
CVE-2025-69771 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Killergerbah Asbplayer. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation and sanitization of untrusted .srt subtitle file inputs to block arbitrary JavaScript execution in the extension.
Filters subtitle content prior to rendering or insertion into the streaming platform context, preventing XSS payload execution and same-site bypass.
Requires timely identification, reporting, and patching of the specific XSS flaw in asbplayer version 1.14.0 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in subtitle file loader directly enables arbitrary JavaScript execution (T1059.007) via user-opened malicious file (T1204.002), facilitating browser session hijacking (T1185) and web session cookie theft (T1539) for same-site API abuse and account takeover.
NVD Description
Cross-Site Scripting (XSS) vulnerability in the subtitle loading function of the asbplayer Chrome Extension version 1.14.0 allows attackers to execute arbitrary JavaScript in the context of the active streaming platform via a crafted .srt subtitle file. Because the script executes…
more
within the same-site context, it can bypass cross-origin restrictions, leading to unauthorized same-site API requests and session data exfiltration.
Deeper analysisAI
CVE-2025-69771 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-434, in the subtitle loading function of the asbplayer Chrome Extension version 1.14.0. Published on 2026-02-25, it enables attackers to execute arbitrary JavaScript in the context of the active streaming platform when a user loads a crafted .srt subtitle file through the extension. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.
Any remote attacker can exploit this vulnerability by distributing a malicious .srt subtitle file, which requires user interaction—such as opening the file in the extension while viewing a stream—to trigger. No privileges are needed, and once executed, the JavaScript runs within the same-site context of the streaming platform, bypassing cross-origin restrictions. This allows attackers to make unauthorized same-site API requests and exfiltrate session data, potentially leading to account takeover or further compromise on the target site.
Mitigation guidance and additional details are available in the referenced sources, including the asbplayer GitHub repository at https://github.com/killergerbah/asbplayer and the advisory at https://reve-offensive.tistory.com/35.
Details
- CWE(s)