CVE-2025-27109
Published: 21 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-27109 affects solid-js, a declarative JavaScript library for building user interfaces, in versions prior to 1.9.4. The vulnerability arises when inserts/JSX expressions inside illegal inlined JSX fragments lack proper escaping, allowing user input placed directly inside those fragments to be rendered as HTML. This flaw is classified under CWE-79 (cross-site scripting) and CWE-116 (improper encoding or escaping of output).
The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Attackers can achieve limited impacts on confidentiality, integrity, and availability by injecting user-controlled data into affected JSX fragments, resulting in the execution of arbitrary HTML in the victim's browser context.
The SolidJS security advisory (GHSA-3qxh-p7jc-5xh6) and fixing commit (b93956f28ed75469af6976a98728e313d0edd236) confirm the issue was addressed in version 1.9.4, urging all users to upgrade immediately. No workarounds are known.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This XSS vulnerability in a JavaScript UI library allows remote unauthenticated attackers to inject and execute arbitrary HTML/JS in the victim's browser without user interaction, directly enabling exploitation of public-facing applications (T1190) and JavaScript command/script execution (T1059.007).