CVE-2025-27108
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace
Description
> [!NOTE] > This advisory was originally emailed to [email protected] by @nsysean. To sum it up, the use of javascript's `.replace()` opens up to potential XSS vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems.
How to fix CVE-2025-27108
To remediate CVE-2025-27108, upgrade the affected package to a fixed version below.
- —upgrade to 0.39.5 or later
Is CVE-2025-27108 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.39.5
CVSS scores
| Source | Version |
|---|