Headline
GHSA-2rwj-7xq8-4gx4: Qwik has a potential mXSS vulnerability due to improper HTML escaping
Summary
A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.
Details
Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
- If the string is an attribute value:
"->"&->&- Other characters -> No conversion
- Otherwise:
<-><>->>&->&- Other characters -> No conversion
It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).
PoC
A vulnerable component:
import { component$ } from "@builder.io/qwik";
import { useLocation } from "@builder.io/qwik-city";
export default component$(() => {
// user input
const { url } = useLocation();
const href = url.searchParams.get("href") ?? "https://example.com";
return (
<div>
<noscript>
<a href={href}>test</a>
</noscript>
</div>
);
});
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
Impact
XSS
Summary
A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.
Details
Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
- If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
- Otherwise:
- < -> <
-> > * & -> & * Other characters -> No conversion
It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).
PoC
A vulnerable component:
import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city";
export default component$(() => {
// user input const { url } = useLocation(); const href = url.searchParams.get(“href”) ?? "https://example.com";
return ( <div> <noscript> <a href={href}>test</a> </noscript> </div> ); });
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
Impact
XSS
References
- GHSA-2rwj-7xq8-4gx4
- QwikDev/qwik@7e742eb
- https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
- https://nvd.nist.gov/vuln/detail/CVE-2024-41677