CVE-2025-27108

dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/ryansolid/dom-expressions/commit/521f75dfa89ed24161646e7007d9d7d21da07767	Patch
https://github.com/ryansolid/dom-expressions/security/advisories/GHSA-hw62-58pr-7wc5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ryansolid:dom_expressions:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-21 22:15

Updated : 2025-02-27 20:26

NVD link : CVE-2025-27108

Mitre link : CVE-2025-27108

CVE.ORG link : CVE-2025-27108

JSON object : View

Products Affected

ryansolid

dom_expressions

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2025-27108", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-02-21T22:15:14.170", "references": [{"url": "https://github.com/ryansolid/dom-expressions/commit/521f75dfa89ed24161646e7007d9d7d21da07767", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/ryansolid/dom-expressions/security/advisories/GHSA-hw62-58pr-7wc5", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. \"dom-expressions\" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "dom-expressions es un entorno de ejecuci\u00f3n de grano fino para la representaci\u00f3n de DOM de alto rendimiento. En las versiones afectadas, el uso de `.replace()` de javascript abre la puerta a posibles vulnerabilidades de Cross-site Scripting (XSS) con los patrones de reemplazo especiales que comienzan con `$`. En particular, cuando los atributos de la etiqueta `Meta` de solid-meta est\u00e1n definidos por el usuario, los atacantes pueden utilizar los patrones de reemplazo especiales, ya sea `$'` o `$\\`` para lograr XSS. El paquete solid-meta tiene este problema, ya que utiliza `useAffect` y proveedores de contexto, que inyectan los activos utilizados en el encabezado html. \"dom-expressions\" utiliza `.replace()` para insertar los activos, lo que es vulnerable a los patrones de reemplazo especiales enumerados anteriormente. Esto significa efectivamente que si los atributos de una etiqueta de activo contuvieran datos controlados por el usuario, ser\u00eda vulnerable a XSS. Por ejemplo, puede haber metaetiquetas para el protocolo Open Graph en una p\u00e1gina de perfil de usuario, pero si los atacantes configuran la consulta del usuario con alg\u00fan payload que abuse de `.replace()`, entonces podr\u00edan ejecutar c\u00f3digo JavaScript arbitrario en el navegador web de la v\u00edctima. Adem\u00e1s, podr\u00eda almacenarse y causar m\u00e1s problemas. Este problema se ha solucionado en la versi\u00f3n 0.39.5 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-02-27T20:26:40.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ryansolid:dom_expressions:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62555A6D-E93A-4D12-82B3-2F9E7C812F6F", "versionEndExcluding": "0.39.5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}