Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27109

CVE-2025-27109: Solid.js XSS Vulnerability in JSX Fragments

CVE-2025-27109 is an XSS vulnerability in Solid.js where unescaped JSX expressions allow malicious HTML rendering. This flaw affects JSX fragments and is fixed in version 1.9.4. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-27109 Overview

CVE-2025-27109 is a Cross-Site Scripting (XSS) vulnerability affecting solid-js, a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions, inserts and JSX expressions inside illegal inlined JSX fragments lacked proper escaping, allowing user input to be rendered as HTML when placed directly inside JSX fragments. This vulnerability enables attackers to inject malicious scripts that execute in the context of affected web applications.

Critical Impact

User-supplied input can be rendered as executable HTML/JavaScript within JSX fragments, potentially leading to session hijacking, data theft, and malicious actions performed on behalf of authenticated users.

Affected Products

  • solid-js versions prior to 1.9.4
  • Applications using JSX fragments with unsanitized user input
  • Server-side rendering implementations using solid-js

Discovery Timeline

  • 2025-02-21 - CVE CVE-2025-27109 published to NVD
  • 2025-02-24 - Last updated in NVD database

Technical Details for CVE-2025-27109

Vulnerability Analysis

This vulnerability (CWE-79: Cross-Site Scripting) exists in the server-side rendering component of solid-js. The core issue stems from missing HTML entity escaping when processing JSX expressions that are resolved outside of DOM Expressions. When user-controlled data is inserted into JSX fragments, the library fails to properly escape HTML special characters such as <, >, &, and ". This allows attackers to break out of the intended text context and inject arbitrary HTML or JavaScript code.

The vulnerability is particularly concerning in server-side rendering scenarios where user input flows through the rendering.ts module without proper sanitization. Applications that directly embed user-provided data within JSX fragments are susceptible to reflected or stored XSS attacks.

Root Cause

The root cause lies in the absence of an escape() function within the server-side rendering module (packages/solid/src/server/rendering.ts). While the web module (solid-js/web) contains proper escaping utilities, these were not being utilized during server-side resolution of JSX expressions. This architectural oversight meant that dynamic content inserted via JSX expressions bypassed the standard XSS protections that developers would reasonably expect from a modern JavaScript UI library.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction for exploitation. An attacker can craft malicious input containing HTML/JavaScript payloads and submit them to an application built with vulnerable solid-js versions. When the application renders this input within a JSX fragment, the malicious code executes in the victim's browser context. Attack scenarios include:

  1. Injecting <script> tags to execute arbitrary JavaScript
  2. Embedding event handlers like onerror or onclick within injected elements
  3. Stealing session cookies or authentication tokens
  4. Performing actions on behalf of authenticated users
  5. Redirecting users to phishing sites
typescript
// Security patch in packages/solid/src/server/rendering.ts
// Source: https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236

   ? JSX.IntrinsicElements[T]
   : Record<string, unknown>;
 
+// these methods are duplicates from solid-js/web
+// we need a better solution for this in the future
+function escape(s: any, attr?: boolean) {
+  const t = typeof s;
+  if (t !== "string") {
+    if (!attr && t === "function") return escape(s());
+    if (!attr && Array.isArray(s)) {
+      for (let i = 0; i < s.length; i++) s[i] = escape(s[i]);
+      return s;
+    }
+    if (attr && t === "boolean") return String(s);
+    return s;
+  }
+  const delim = attr ? '"' : "<";
+  const escDelim = attr ? """ : "<";
+  let iDelim = s.indexOf(delim);
+  let iAmp = s.indexOf("&");
+
+  if (iDelim < 0 && iAmp < 0) return s;
+
+  let left = 0,
+    out = "";
+
+  while (iDelim >= 0 && iAmp >= 0) {
+    if (iDelim < iAmp) {
+      if (left < iDelim) out += s.substring(left, iDelim);
+      out += escDelim;

Source: GitHub Commit b93956f

Detection Methods for CVE-2025-27109

Indicators of Compromise

  • Unexpected <script> tags or JavaScript event handlers appearing in rendered HTML output
  • User-submitted content containing HTML special characters being rendered as actual HTML elements
  • Web application firewall logs showing XSS payload patterns in request parameters
  • Browser console errors related to blocked inline scripts (if Content Security Policy is enabled)

Detection Strategies

  • Audit package.json and package-lock.json for solid-js versions below 1.9.4
  • Implement automated dependency scanning in CI/CD pipelines using tools like npm audit or Snyk
  • Review server-side rendering code for patterns where user input flows into JSX fragments
  • Deploy web application firewall rules to detect common XSS payload signatures

Monitoring Recommendations

  • Enable Content Security Policy (CSP) headers with violation reporting to detect XSS attempts
  • Monitor application logs for unusual HTML entities in user-submitted data fields
  • Implement runtime XSS detection using browser-based security monitoring
  • Review access logs for requests containing encoded script tags or JavaScript event handlers

How to Mitigate CVE-2025-27109

Immediate Actions Required

  • Upgrade solid-js to version 1.9.4 or later immediately
  • Audit all instances where user-controlled data is rendered within JSX fragments
  • Implement Content Security Policy headers as a defense-in-depth measure
  • Consider temporarily disabling server-side rendering of user content until patched

Patch Information

The vulnerability has been addressed in solid-js version 1.9.4. The fix introduces proper HTML escaping functions directly into the server-side rendering module, ensuring that special characters like <, >, &, and " are converted to their corresponding HTML entities (<, >, &, ") before rendering. For detailed information, see the GitHub Security Advisory GHSA-3qxh-p7jc-5xh6 and the security patch commit.

Workarounds

  • There are no known workarounds for this vulnerability; upgrading to version 1.9.4 is the only mitigation
  • As a temporary defense-in-depth measure, implement strict Content Security Policy headers
  • Manually sanitize all user input before rendering in JSX fragments using a library like DOMPurify
  • Limit server-side rendering of user-generated content until the patch is applied
bash
# Upgrade solid-js to patched version
npm update solid-js@1.9.4

# Verify installed version
npm list solid-js

# Audit for known vulnerabilities
npm audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne