7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27109

GHSA ID

GHSA-3qxh-p7jc-5xh6

EPSS Score

0.26489%

CWE

CWE-79

Published

2/25/2025

Updated

2/25/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27109

CVE-2025-27109:
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.

  const [text] = createResource(() => {
    return new URL(getRequestEvent().request.url).searchParams.get("text");
  });

  return (
    <>
      Text: {text()}
    </>
  );

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27109

GHSA ID

GHSA-3qxh-p7jc-5xh6

EPSS Score

0.26489%

CWE

CWE-79

Published

2/25/2025

Updated

2/25/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
solid-js	npm	< 1.9.4	1.9.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing HTML escaping in JSX fragment resolution. The commit diff shows critical changes where an escape() function was added to wrap parameters passed to resolveSSRNode in ErrorBoundary and Suspense. Prior to the patch, these components directly passed user-controlled data (like URL parameters) to resolveSSRNode without sanitization, allowing raw HTML injection. The example demonstrates XSS via {text()}, which would flow through these rendering paths. The functions ErrorBoundary and Suspense are explicitly modified in the patch to add escaping, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ins*rts/JSX *xpr*ssions insi** ill***l inlin** JSX *r**m*nts l**k** *s**pin*, *llowin* us*r input to ** r*n**r** *s *TML w**n put *ir**tly insi** JSX *r**m*nts. *or inst*n**, `?t*xt=<sv*/onlo**=*l*rt(*)>` woul* tri***r XSS **r*. ```js *onst [t*xt]

Reasoning

T** vuln*r**ility st*ms *rom missin* *TML *s**pin* in JSX *r**m*nt r*solution. T** *ommit *i** s*ows *riti**l ***n**s w**r* *n `*s**p*()` *un*tion w*s ***** to wr*p p*r*m*t*rs p*ss** to `r*solv*SSRNo**` in `*rror*oun**ry` *n* `Susp*ns*`. Prior to t**

7.3

Basic Information

Concerned about an active attack path?

CVE-2025-27109: Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-27109:
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Vulnerability Intelligence
Miggo AI