Headline
GHSA-3qxh-p7jc-5xh6: Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.
const [text] = createResource(() => {
return new URL(getRequestEvent().request.url).searchParams.get("text");
});
return (
<>
Text: {text()}
</>
);
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-27109
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
High severity GitHub Reviewed Published Feb 21, 2025 in solidjs/solid • Updated Feb 25, 2025
Package
npm solid-js (npm)
Affected versions
< 1.9.4
Description
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.
const [text] = createResource(() => { return new URL(getRequestEvent().request.url).searchParams.get(“text”); });
return ( <> Text: {text()} </> );
References
- GHSA-3qxh-p7jc-5xh6
- https://nvd.nist.gov/vuln/detail/CVE-2025-27109
- solidjs/solid@b93956f
Published to the GitHub Advisory Database
Feb 25, 2025
Last updated
Feb 25, 2025