CVE-2025-27109

Published Feb 21, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-27109 is a cross-site scripting (XSS) vulnerability in solid-js, a JavaScript library for building user interfaces. The vulnerability stems from a lack of HTML escaping within JSX fragments. This allows user-provided input inserted directly into JSX fragments to be rendered as HTML, potentially enabling malicious scripts to be executed in a victim's browser. The issue was addressed in solid-js version 1.9.4. Solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. JSX fragments are typically used to represent HTML elements within JavaScript code. The lack of proper escaping in these fragments creates an opportunity for attackers to inject malicious HTML and JavaScript code, leading to XSS attacks. Upgrading to solid-js version 1.9.4 or later mitigates this vulnerability.

Description: solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has been addressed in version 1.9.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: security-advisories@github.com
NVD status: Received

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.3
Impact score: 3.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: HIGH

Weaknesses

security-advisories@github.com: CWE-79

Hype score: Not currently trending