CVE-2025-27109 Overview
CVE-2025-27109 is a Cross-Site Scripting (XSS) vulnerability affecting solid-js, a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions, inserts and JSX expressions inside illegal inlined JSX fragments lacked proper escaping, allowing user input to be rendered as HTML when placed directly inside JSX fragments. This vulnerability enables attackers to inject malicious scripts that execute in the context of affected web applications.
Critical Impact
User-supplied input can be rendered as executable HTML/JavaScript within JSX fragments, potentially leading to session hijacking, data theft, and malicious actions performed on behalf of authenticated users.
Affected Products
- solid-js versions prior to 1.9.4
- Applications using JSX fragments with unsanitized user input
- Server-side rendering implementations using solid-js
Discovery Timeline
- 2025-02-21 - CVE CVE-2025-27109 published to NVD
- 2025-02-24 - Last updated in NVD database
Technical Details for CVE-2025-27109
Vulnerability Analysis
This vulnerability (CWE-79: Cross-Site Scripting) exists in the server-side rendering component of solid-js. The core issue stems from missing HTML entity escaping when processing JSX expressions that are resolved outside of DOM Expressions. When user-controlled data is inserted into JSX fragments, the library fails to properly escape HTML special characters such as <, >, &, and ". This allows attackers to break out of the intended text context and inject arbitrary HTML or JavaScript code.
The vulnerability is particularly concerning in server-side rendering scenarios where user input flows through the rendering.ts module without proper sanitization. Applications that directly embed user-provided data within JSX fragments are susceptible to reflected or stored XSS attacks.
Root Cause
The root cause lies in the absence of an escape() function within the server-side rendering module (packages/solid/src/server/rendering.ts). While the web module (solid-js/web) contains proper escaping utilities, these were not being utilized during server-side resolution of JSX expressions. This architectural oversight meant that dynamic content inserted via JSX expressions bypassed the standard XSS protections that developers would reasonably expect from a modern JavaScript UI library.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction for exploitation. An attacker can craft malicious input containing HTML/JavaScript payloads and submit them to an application built with vulnerable solid-js versions. When the application renders this input within a JSX fragment, the malicious code executes in the victim's browser context. Attack scenarios include:
- Injecting <script> tags to execute arbitrary JavaScript
- Embedding event handlers like onerror or onclick within injected elements
- Stealing session cookies or authentication tokens
- Performing actions on behalf of authenticated users
- Redirecting users to phishing sites
// Security patch in packages/solid/src/server/rendering.ts
// Source: https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236
? JSX.IntrinsicElements[T]
: Record<string, unknown>;
+// these methods are duplicates from solid-js/web
+// we need a better solution for this in the future
+function escape(s: any, attr?: boolean) {
+ const t = typeof s;
+ if (t !== "string") {
+ if (!attr && t === "function") return escape(s());
+ if (!attr && Array.isArray(s)) {
+ for (let i = 0; i < s.length; i++) s[i] = escape(s[i]);
+ return s;
+ }
+ if (attr && t === "boolean") return String(s);
+ return s;
+ }
+ const delim = attr ? '"' : "<";
+ const escDelim = attr ? """ : "<";
+ let iDelim = s.indexOf(delim);
+ let iAmp = s.indexOf("&");
+
+ if (iDelim < 0 && iAmp < 0) return s;
+
+ let left = 0,
+ out = "";
+
+ while (iDelim >= 0 && iAmp >= 0) {
+ if (iDelim < iAmp) {
+ if (left < iDelim) out += s.substring(left, iDelim);
+ out += escDelim;
Source: GitHub Commit b93956f
Detection Methods for CVE-2025-27109
Indicators of Compromise
- Unexpected <script> tags or JavaScript event handlers appearing in rendered HTML output
- User-submitted content containing HTML special characters being rendered as actual HTML elements
- Web application firewall logs showing XSS payload patterns in request parameters
- Browser console errors related to blocked inline scripts (if Content Security Policy is enabled)
Detection Strategies
- Audit package.json and package-lock.json for solid-js versions below 1.9.4
- Implement automated dependency scanning in CI/CD pipelines using tools like npm audit or Snyk
- Review server-side rendering code for patterns where user input flows into JSX fragments
- Deploy web application firewall rules to detect common XSS payload signatures
Monitoring Recommendations
- Enable Content Security Policy (CSP) headers with violation reporting to detect XSS attempts
- Monitor application logs for unusual HTML entities in user-submitted data fields
- Implement runtime XSS detection using browser-based security monitoring
- Review access logs for requests containing encoded script tags or JavaScript event handlers
How to Mitigate CVE-2025-27109
Immediate Actions Required
- Upgrade solid-js to version 1.9.4 or later immediately
- Audit all instances where user-controlled data is rendered within JSX fragments
- Implement Content Security Policy headers as a defense-in-depth measure
- Consider temporarily disabling server-side rendering of user content until patched
Patch Information
The vulnerability has been addressed in solid-js version 1.9.4. The fix introduces proper HTML escaping functions directly into the server-side rendering module, ensuring that special characters like <, >, &, and " are converted to their corresponding HTML entities (<, >, &, ") before rendering. For detailed information, see the GitHub Security Advisory GHSA-3qxh-p7jc-5xh6 and the security patch commit.
Workarounds
- There are no known workarounds for this vulnerability; upgrading to version 1.9.4 is the only mitigation
- As a temporary defense-in-depth measure, implement strict Content Security Policy headers
- Manually sanitize all user input before rendering in JSX fragments using a library like DOMPurify
- Limit server-side rendering of user-generated content until the patch is applied
# Upgrade solid-js to patched version
npm update solid-js@1.9.4
# Verify installed version
npm list solid-js
# Audit for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
