Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Severity:: High

Description

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.

Recommendation

Update the solid-js package to the latest compatible version. Followings are version details:

Affected version(s): < 1.9.4
Patched version(s): 1.9.4

References

GHSA-3qxh-p7jc-5xh6
CVE-2025-27109
CWE-116
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788

Tags:: npm; solid-js

Anything's wrong? Let us know Last updated on February 25, 2025