Search for vulnerabilities
| Vulnerability ID | VCID-gqys-45tt-23d3 |
| Aliases |
GHSA-x7mm-9vvv-64w8
|
| Summary | unhead: Streaming SSR `streamKey` injected into inline script without identifier validation ### Summary `createStreamableHead({ streamKey })` interpolated its `streamKey` argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink. ### Details `streamKey` was embedded into JavaScript source via dot notation in two public helpers: * `createBootstrapScript()` returned `<script>window.${streamKey}={...}</script>` * `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)` No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A `streamKey` such as `__unhead__;globalThis.PWNED=1;//` broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect `streamKey` because `streamKey` was inserted as raw code rather than as serialized data. ### Impact `streamKey` is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default `__unhead__`). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing `streamKey` from request data. Applications using the default `streamKey`, or any hardcoded custom key, are **not affected**. ### PoC ```ts import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server' const { head } = createStreamableHead({ streamKey: '__unhead__;globalThis.PWNED=1;//', }) const html = renderSSRHeadShell( head, '<!doctype html><html><head></head><body></body></html>', ) // <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>… ``` ### Patch Fixed on `main` in [`64b5ac0`](https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6). The fix will ship in the next patch release of `unhead`. `streamKey` is now validated against a conservative ASCII JavaScript-identifier pattern (`/^[$_a-z][$\w]*$/i`) at every sink — `createStreamableHead`, `createBootstrapScript`, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output. ### Workarounds Do not pass untrusted data into `createStreamableHead({ streamKey })` or `createBootstrapScript(key)`. If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance. ### Credit Thanks to @Jvr2022 for the report. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 2.7 |
| Risk | 1.4 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | LOW | https://github.com/advisories/GHSA-x7mm-9vvv-64w8 |
| cvssv4 | 2.3 | https://github.com/unjs/unhead |
| generic_textual | LOW | https://github.com/unjs/unhead |
| cvssv4 | 2.3 | https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6 |
| generic_textual | LOW | https://github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6 |
| cvssv3.1_qr | LOW | https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8 |
| cvssv4 | 2.3 | https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8 |
| generic_textual | LOW | https://github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8 |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-12T07:46:56.673007+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x7mm-9vvv-64w8/GHSA-x7mm-9vvv-64w8.json | 38.6.0 |