6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41677

GHSA ID

GHSA-2rwj-7xq8-4gx4

EPSS Score

0.43649%

CWE

CWE-79

Published

8/6/2024

Updated

8/7/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41677

CVE-2024-41677: Qwik has a potential mXSS vulnerability due to improper HTML escaping

Summary

A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.

Details

Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- > -> >
- & -> &
- Other characters -> No conversion

It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).

PoC

A vulnerable component:

import { component$ } from "@builder.io/qwik";
import { useLocation } from "@builder.io/qwik-city";

export default component$(() => {
  
  // user input
  const { url } = useLocation();
  const href = url.searchParams.get("href") ?? "https://example.com";

  return (
    <div>
      <noscript>
        <a href={href}>test</a>
      </noscript>
    </div>
  );
});

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41677

GHSA ID

GHSA-2rwj-7xq8-4gx4

EPSS Score

0.43649%

CWE

CWE-79

Published

8/6/2024

Updated

8/7/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@builder.io/qwik	npm	< 1.7.3	1.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper HTML escaping in server-side rendering. The original escapeAttr function (replaced in the fix) only handled " and &, but failed to escape < and > in attribute values. This allowed payloads like </noscript> in attributes to break out of context and execute scripts. The commit diff shows escapeAttr was replaced with a consolidated escapeHtml function that properly handles additional characters, confirming escapeAttr was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * pot*nti*l mXSS vuln*r**ility *xists in Qwik *or v*rsions up to *.*.*. ### **t*ils Qwik improp*rly *s**p*s *TML on s*rv*r-si** r*n**rin*. It *onv*rts strin*s ***or*in* to t** *ollowin* rul*s: *ttps://*it*u*.*om/Qwik**v/qwik/*lo*/v*.*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *TML *s**pin* in s*rv*r-si** r*n**rin*. T** ori*in*l `*s**p**ttr` *un*tion (r*pl**** in t** *ix) only **n*l** " *n* &, *ut **il** to *s**p* < *n* > in *ttri*ut* v*lu*s. T*is *llow** p*ylo**s lik* </nos*ript> in *

6.3

Basic Information

Concerned about an active attack path?

CVE-2024-41677: Qwik has a potential mXSS vulnerability due to improper HTML escaping

Summary

Details

PoC

Impact

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI