Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Severity:: High

Description

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.

Recommendation

Update the solid-js package to the latest compatible version. Followings are version details:

Affected version(s): < 1.9.4
Patched version(s): 1.9.4

References

GHSA-3qxh-p7jc-5xh6
CVE-2025-27109
CWE-116
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304

Tags:: npm; solid-js

Anything's wrong? Let us know Last updated on February 25, 2025