materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

Severity:: Medium

Description

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.0

References

GHSA-7jvx-f994-rfw2
snyk.io
CVE-2022-25349
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793

Tags:: npm; materialize-css

Anything's wrong? Let us know Last updated on February 01, 2023