Description
Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.
Recommendation
Update the shave package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.5.3
- Patched version(s): 2.5.3
References
Related Issues
- jsPDF Denial of Service (DoS) - CVE-2025-57810
- MailDev Remote Code Execution - CVE-2024-27448
- vxe-table prototype pollution - CVE-2024-57080
- Cross-Site Scripting in jquery - CVE-2020-7656
- Tags:
- npm
- shave
Anything's wrong? Let us know Last updated on January 09, 2023