CVE-2025-27108

{"id": "CVE-2025-27108", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-02-21T22:15:14.170", "references": [{"url": "https://github.com/ryansolid/dom-expressions/commit/521f75dfa89ed24161646e7007d9d7d21da07767", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ryansolid/dom-expressions/security/advisories/GHSA-hw62-58pr-7wc5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. \"dom-expressions\" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "dom-expressions es un entorno de ejecuci\u00f3n de grano fino para la representaci\u00f3n de DOM de alto rendimiento. En las versiones afectadas, el uso de `.replace()` de javascript abre la puerta a posibles vulnerabilidades de Cross-site Scripting (XSS) con los patrones de reemplazo especiales que comienzan con `$`. En particular, cuando los atributos de la etiqueta `Meta` de solid-meta est\u00e1n definidos por el usuario, los atacantes pueden utilizar los patrones de reemplazo especiales, ya sea `$'` o `$\\`` para lograr XSS. El paquete solid-meta tiene este problema, ya que utiliza `useAffect` y proveedores de contexto, que inyectan los activos utilizados en el encabezado html. \"dom-expressions\" utiliza `.replace()` para insertar los activos, lo que es vulnerable a los patrones de reemplazo especiales enumerados anteriormente. Esto significa efectivamente que si los atributos de una etiqueta de activo contuvieran datos controlados por el usuario, ser\u00eda vulnerable a XSS. Por ejemplo, puede haber metaetiquetas para el protocolo Open Graph en una p\u00e1gina de perfil de usuario, pero si los atacantes configuran la consulta del usuario con alg\u00fan payload que abuse de `.replace()`, entonces podr\u00edan ejecutar c\u00f3digo JavaScript arbitrario en el navegador web de la v\u00edctima. Adem\u00e1s, podr\u00eda almacenarse y causar m\u00e1s problemas. Este problema se ha solucionado en la versi\u00f3n 0.39.5 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-02-27T20:18:12.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ryansolid:dom_expressions:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62555A6D-E93A-4D12-82B3-2F9E7C812F6F", "versionEndExcluding": "0.39.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}