Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/unhead@3.0.1
purl pkg:npm/unhead@3.0.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-gqys-45tt-23d3 unhead: Streaming SSR `streamKey` injected into inline script without identifier validation ### Summary `createStreamableHead({ streamKey })` interpolated its `streamKey` argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink. ### Details `streamKey` was embedded into JavaScript source via dot notation in two public helpers: * `createBootstrapScript()` returned `<script>window.${streamKey}={...}</script>` * `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)` No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A `streamKey` such as `__unhead__;globalThis.PWNED=1;//` broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect `streamKey` because `streamKey` was inserted as raw code rather than as serialized data. ### Impact `streamKey` is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default `__unhead__`). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing `streamKey` from request data. Applications using the default `streamKey`, or any hardcoded custom key, are **not affected**. ### PoC ```ts import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server' const { head } = createStreamableHead({ streamKey: '__unhead__;globalThis.PWNED=1;//', }) const html = renderSSRHeadShell( head, '<!doctype html><html><head></head><body></body></html>', ) // <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>… ``` ### Patch Fixed on `main` in [`64b5ac0`](https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6). The fix will ship in the next patch release of `unhead`. `streamKey` is now validated against a conservative ASCII JavaScript-identifier pattern (`/^[$_a-z][$\w]*$/i`) at every sink — `createStreamableHead`, `createBootstrapScript`, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output. ### Workarounds Do not pass untrusted data into `createStreamableHead({ streamKey })` or `createBootstrapScript(key)`. If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance. ### Credit Thanks to @Jvr2022 for the report. GHSA-x7mm-9vvv-64w8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-15T09:15:50.090943+00:00 GitLab Importer Fixing VCID-gqys-45tt-23d3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/unhead/GHSA-x7mm-9vvv-64w8.yml 38.6.0
2026-06-13T06:29:02.359477+00:00 GHSA Importer Fixing VCID-gqys-45tt-23d3 https://github.com/advisories/GHSA-x7mm-9vvv-64w8 38.6.0
2026-06-12T07:46:56.699843+00:00 GithubOSV Importer Fixing VCID-gqys-45tt-23d3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x7mm-9vvv-64w8/GHSA-x7mm-9vvv-64w8.json 38.6.0