Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/90346?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90346?format=api", "vulnerability_id": "VCID-9j6d-uqxu-q3hd", "summary": "unhead: Streaming SSR `streamKey` injected into inline script without identifier validation\n### Summary\n\n`createStreamableHead({ streamKey })` interpolated its `streamKey` argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.\n\n### Details\n\n`streamKey` was embedded into JavaScript source via dot notation in two public helpers:\n\n* `createBootstrapScript()` returned `<script>window.${streamKey}={...}</script>`\n* `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)`\n\nNo escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A `streamKey` such as `__unhead__;globalThis.PWNED=1;//` broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect `streamKey` because `streamKey` was inserted as raw code rather than as serialized data.\n\n### Impact\n\n`streamKey` is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default `__unhead__`). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing `streamKey` from request data.\n\nApplications using the default `streamKey`, or any hardcoded custom key, are **not affected**.\n\n### PoC\n\n```ts\nimport { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'\n\nconst { head } = createStreamableHead({\n streamKey: '__unhead__;globalThis.PWNED=1;//',\n})\n\nconst html = renderSSRHeadShell(\n head,\n '<!doctype html><html><head></head><body></body></html>',\n)\n\n// <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>…\n```\n\n### Patch\n\nFixed on `main` in [`64b5ac0`](https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6). The fix will ship in the next patch release of `unhead`.\n\n`streamKey` is now validated against a conservative ASCII JavaScript-identifier pattern (`/^[$_a-z][$\\w]*$/i`) at every sink — `createStreamableHead`, `createBootstrapScript`, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.\n\n### Workarounds\n\nDo not pass untrusted data into `createStreamableHead({ streamKey })` or `createBootstrapScript(key)`. If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.\n\n### Credit\n\nThanks to @Jvr2022 for the report.", "aliases": [ { "alias": "GHSA-x7mm-9vvv-64w8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111654?format=api", "purl": "pkg:npm/unhead@3.0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1019593?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019594?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019595?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019596?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019597?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019598?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019599?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019600?format=api", "purl": "pkg:npm/unhead@3.0.0-beta.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-beta.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019601?format=api", "purl": "pkg:npm/unhead@3.0.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019602?format=api", "purl": "pkg:npm/unhead@3.0.0-rc.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-rc.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019603?format=api", "purl": "pkg:npm/unhead@3.0.0-rc.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0-rc.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/1019604?format=api", "purl": "pkg:npm/unhead@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j6d-uqxu-q3hd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/unhead@3.0.0" } ], "references": [ { "reference_url": "https://github.com/unjs/unhead", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/unjs/unhead" }, { "reference_url": "https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6" }, { "reference_url": "https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8" }, { "reference_url": "https://github.com/advisories/GHSA-x7mm-9vvv-64w8", "reference_id": "GHSA-x7mm-9vvv-64w8", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x7mm-9vvv-64w8" } ], "weaknesses": [ { "cwe_id": 79, "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "description": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "0.1 - 3", "exploitability": "0.5", "weighted_severity": "2.7", "risk_score": 1.4, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9j6d-uqxu-q3hd" }