Search criteria
2 vulnerabilities found for solid by solidjs
CVE-2025-27109 (GCVE-0-2025-27109)
Vulnerability from cvelistv5 – Published: 2025-02-21 21:12 – Updated: 2025-02-24 17:05
VLAI
Title
Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js
Summary
solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has been addressed in version 1.9.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/solidjs/solid/security/advisor… | x_refsource_CONFIRM |
| https://github.com/solidjs/solid/commit/b93956f28… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27109",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T17:04:46.604783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T17:05:00.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solid",
"vendor": "solidjs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has been addressed in version 1.9.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T21:12:58.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6"
},
{
"name": "https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236"
}
],
"source": {
"advisory": "GHSA-3qxh-p7jc-5xh6",
"discovery": "UNKNOWN"
},
"title": "Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27109",
"datePublished": "2025-02-21T21:12:58.218Z",
"dateReserved": "2025-02-18T16:44:48.766Z",
"dateUpdated": "2025-02-24T17:05:00.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27109 (GCVE-0-2025-27109)
Vulnerability from nvd – Published: 2025-02-21 21:12 – Updated: 2025-02-24 17:05
VLAI
Title
Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js
Summary
solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has been addressed in version 1.9.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/solidjs/solid/security/advisor… | x_refsource_CONFIRM |
| https://github.com/solidjs/solid/commit/b93956f28… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27109",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T17:04:46.604783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T17:05:00.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solid",
"vendor": "solidjs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has been addressed in version 1.9.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T21:12:58.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6"
},
{
"name": "https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236"
}
],
"source": {
"advisory": "GHSA-3qxh-p7jc-5xh6",
"discovery": "UNKNOWN"
},
"title": "Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27109",
"datePublished": "2025-02-21T21:12:58.218Z",
"dateReserved": "2025-02-18T16:44:48.766Z",
"dateUpdated": "2025-02-24T17:05:00.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}