GHSA-X7MM-9VVV-64W8
Vulnerability from github – Published: 2026-04-10 22:09 – Updated: 2026-04-10 22:09Summary
createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.
Details
streamKey was embedded into JavaScript source via dot notation in two public helpers:
createBootstrapScript()returned<script>window.${streamKey}={...}</script>renderSSRHeadSuspenseChunk()returnedwindow.${streamKey}.push(...)
No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A streamKey such as __unhead__;globalThis.PWNED=1;// broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect streamKey because streamKey was inserted as raw code rather than as serialized data.
Impact
streamKey is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default __unhead__). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing streamKey from request data.
Applications using the default streamKey, or any hardcoded custom key, are not affected.
PoC
import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'
const { head } = createStreamableHead({
streamKey: '__unhead__;globalThis.PWNED=1;//',
})
const html = renderSSRHeadShell(
head,
'<!doctype html><html><head></head><body></body></html>',
)
// <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>…
Patch
Fixed on main in 64b5ac0. The fix will ship in the next patch release of unhead.
streamKey is now validated against a conservative ASCII JavaScript-identifier pattern (/^[$_a-z][$\w]*$/i) at every sink — createStreamableHead, createBootstrapScript, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.
Workarounds
Do not pass untrusted data into createStreamableHead({ streamKey }) or createBootstrapScript(key). If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.
Credit
Thanks to @Jvr2022 for the report.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "npm",
"name": "unhead"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-beta.5"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T22:09:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\n`createStreamableHead({ streamKey })` interpolated its `streamKey` argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.\n\n### Details\n\n`streamKey` was embedded into JavaScript source via dot notation in two public helpers:\n\n* `createBootstrapScript()` returned `\u003cscript\u003ewindow.${streamKey}={...}\u003c/script\u003e`\n* `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)`\n\nNo escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A `streamKey` such as `__unhead__;globalThis.PWNED=1;//` broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect `streamKey` because `streamKey` was inserted as raw code rather than as serialized data.\n\n### Impact\n\n`streamKey` is a developer-chosen configuration value rather than a data field \u2014 the intended usage is a hardcoded identifier-shaped constant (default `__unhead__`). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing `streamKey` from request data.\n\nApplications using the default `streamKey`, or any hardcoded custom key, are **not affected**.\n\n### PoC\n\n```ts\nimport { createStreamableHead, renderSSRHeadShell } from \u0027unhead/stream/server\u0027\n\nconst { head } = createStreamableHead({\n streamKey: \u0027__unhead__;globalThis.PWNED=1;//\u0027,\n})\n\nconst html = renderSSRHeadShell(\n head,\n \u0027\u003c!doctype html\u003e\u003chtml\u003e\u003chead\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\u003e\u0027,\n)\n\n// \u003c!doctype html\u003e\u003chtml\u003e\u003chead\u003e\u003cscript\u003ewindow.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}\u003c/script\u003e\u2026\n```\n\n### Patch\n\nFixed on `main` in [`64b5ac0`](https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6). The fix will ship in the next patch release of `unhead`.\n\n`streamKey` is now validated against a conservative ASCII JavaScript-identifier pattern (`/^[$_a-z][$\\w]*$/i`) at every sink \u2014 `createStreamableHead`, `createBootstrapScript`, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.\n\n### Workarounds\n\nDo not pass untrusted data into `createStreamableHead({ streamKey })` or `createBootstrapScript(key)`. If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.\n\n### Credit\n\nThanks to @Jvr2022 for the report.",
"id": "GHSA-x7mm-9vvv-64w8",
"modified": "2026-04-10T22:09:39Z",
"published": "2026-04-10T22:09:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8"
},
{
"type": "WEB",
"url": "https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6"
},
{
"type": "PACKAGE",
"url": "https://github.com/unjs/unhead"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "unhead: Streaming SSR `streamKey` injected into inline script without identifier validation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.