Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
- Severity:
- High
Description
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.
Recommendation
Update the solid-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.9.4
- Patched version(s): 1.9.4
References
Related Issues
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - vega-interpreter - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - vega-expression - CVE-2025-59840
You might also like:
- Tags:
- npm
- solid-js
Anything's wrong? Let us know Last updated on February 25, 2025