CVE-2025-27109
📋 TL;DR
This vulnerability in solid-js allows user input to be rendered as HTML when placed directly inside JSX fragments, enabling cross-site scripting (XSS) attacks. All applications using affected versions of solid-js are vulnerable if they handle untrusted user input in JSX fragments. The vulnerability affects both server-side and client-side rendering scenarios.
💻 Affected Systems
- solid-js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.
Likely Case
XSS attacks leading to session hijacking, credential theft, or defacement of web applications.
If Mitigated
If input validation and output encoding are properly implemented elsewhere, impact is limited to specific JSX fragment usage patterns.
🎯 Exploit Status
Exploitation requires user input to be placed directly inside JSX fragments without proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.4
Vendor Advisory: https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6
Restart Required: No
Instructions:
1. Update solid-js dependency to version 1.9.4 or later. 2. Run npm update solid-js or yarn upgrade solid-js. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Input Sanitization
allManually sanitize all user input before using it in JSX fragments
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Review all JSX fragment usage and ensure user input is properly escaped or sanitized
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for solid-js version. If version is below 1.9.4, you are vulnerable.Check Version:
npm list solid-js or yarn list solid-jsVerify Fix Applied:
Verify solid-js version is 1.9.4 or higher after update. Test JSX fragments with test payloads to ensure proper escaping.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns
- Suspicious user input containing script tags
Network Indicators:
- Unexpected script loads from user-controlled sources
SIEM Query:
Search for patterns like <script> or javascript: in user input fields that feed into JSX rendering