CVE-2025-27108

CVE-2025-27108 is a cross-site scripting (XSS) vulnerability in dom-expressions, a fine-grained runtime for performant DOM rendering, stemming from the unsafe use of JavaScript's `.replace()` method with special replacement patterns beginning with `$`, such as `$'` or ``$` ``. This issue particularly affects scenarios involving user-defined attributes in Meta tags managed by the solid-meta package, which leverages `useAffect` and context providers to inject assets into the HTML header. Dom-expressions' `.replace()` implementation during asset insertion fails to sanitize these patterns, enabling XSS when user-controlled data populates asset tag attributes. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote, unauthenticated attackers can exploit this vulnerability by injecting malicious payloads into user-controllable fields that influence Meta tag attributes, such as Open Graph protocol metadata on user profile pages. For example, an attacker could craft a query parameter abusing the `.replace()` patterns to execute arbitrary JavaScript in the victim's browser upon page load. The attack supports both reflected and stored variants, potentially amplifying impact through persistence, allowing theft of session data, cookie manipulation, or further site compromise without requiring user interaction beyond visiting the affected page.

The GitHub security advisory (GHSA-hw62-58pr-7wc5) and related commit (521f75dfa89ed24161646e7007d9d7d21da07767) confirm the fix in dom-expressions version 0.39.5, recommending that all users upgrade immediately. No workarounds are available.