Description
On HTML elements handled by Orejime, one could run malicious code by embedding javascript: code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. data-href into href), thus executing the code.
Recommendation
Update the orejime package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.2
- Patched version(s): 2.3.2
References
Related Issues
- Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) - CVE-2025-66398
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - CVE-2025-27789
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups (GHSA-968p-4wvh-cqc8) - CVE-2025-27789
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups (GHSA-968p-4wvh-cqc8) 3 - CVE-2025-27789
- Tags:
- npm
- orejime
Anything's wrong? Let us know Last updated on January 13, 2026