CyberChef XSS Vulnerability: Unescaped Input in OffsetChecker.mjs Exposes Users to Script Injection

A critical cross-site scripting (XSS) vulnerability has been reported in the latest version of GCHQ's CyberChef, a widely used web-based cybersecurity tool. The flaw, located in the `OffsetChecker.mjs` module, allows an attacker to inject and execute arbitrary JavaScript code by supplying a malicious payload to the `sampleDelim` parameter. This is not a theoretical risk; a functional proof-of-concept exploit has been published, demonstrating that the attack can successfully trigger an alert with the document's domain, confirming script execution in the victim's browser context.

The vulnerability stems from a failure to properly escape user-supplied input before it is rendered into the HTML output on line 102 of the affected file. The public exploit recipe uses a crafted `<img>` tag with an `onerror` handler, a classic XSS vector. This exposes any user who opens or interacts with a maliciously crafted CyberChef recipe link to potential session hijacking, data theft, or further exploitation. The issue is present in version 10.22.1, indicating it is a recent regression or oversight.

The presence of this bug in a tool maintained by GCHQ—a signals intelligence agency—and used extensively by security professionals for data analysis elevates its significance. It creates a paradox where a utility designed for security operations becomes a potential attack vector itself. Until a patch is released, users are advised to exercise extreme caution with untrusted recipe links. This incident underscores the persistent challenge of input sanitization in complex web applications, even within high-profile, security-focused projects.