Cross-site Scripting Vulnerability in dom-expressions from Solid
CVE-2025-27108
7.3HIGH
Key Information:
- Vendor
- Ryansolid
- Status
- Dom-expressions
- Vendor
- CVE Published:
- 21 February 2025
Summary
dom-expressions, a Fine-Grained Runtime for Performant DOM Rendering by Solid, is susceptible to Cross-site Scripting (XSS) vulnerabilities due to improper handling of JavaScript's .replace() method. This flaw can be exploited when Meta tag attributes are user-defined, allowing attackers to leverage special replacement patterns, specifically '$' and '$`', to execute malicious scripts. If attackers manipulate user-controlled data within asset tag attributes, they can potentially inject arbitrary JavaScript into a victim's web browser. This vulnerability underscores the need for users to upgrade to version 0.39.5 or higher, as no viable workarounds currently exist.
Affected Version(s)
dom-expressions < 0.39.5
References
CVSS V3.1
Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved