Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
- Severity:
- High
Description
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.
Recommendation
Update the solid-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.9.4
- Patched version(s): 1.9.4
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- @fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state - CVE-2023-31999
- Tags:
- npm
- solid-js
Anything's wrong? Let us know Last updated on February 25, 2025