Cyber Resilience

CVE-2025-27108

High

Published: 21 February 2025

Published
21 February 2025
Modified
27 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0034 56.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27108 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ryansolid Dom Expressions. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-27108 is a cross-site scripting (XSS) vulnerability in dom-expressions, a fine-grained runtime for performant DOM rendering, stemming from the unsafe use of JavaScript's `.replace()` method with special replacement patterns beginning with `$`, such as `$'` or ``$` ``. This issue particularly affects scenarios involving user-defined attributes in Meta tags managed by the solid-meta package, which leverages `useAffect` and context providers to inject assets into the HTML header. Dom-expressions' `.replace()` implementation during asset insertion fails to sanitize these patterns, enabling XSS when user-controlled data populates asset tag attributes. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote, unauthenticated attackers can exploit this vulnerability by injecting malicious payloads into user-controllable fields that influence Meta tag attributes, such as Open Graph protocol metadata on user profile pages. For example, an attacker could craft a query parameter abusing the `.replace()` patterns to execute arbitrary JavaScript in the victim's browser upon page load. The attack supports both reflected and stored variants, potentially amplifying impact through persistence, allowing theft of session data, cookie manipulation, or further site compromise without requiring user interaction beyond visiting the affected page.

The GitHub security advisory (GHSA-hw62-58pr-7wc5) and related commit (521f75dfa89ed24161646e7007d9d7d21da07767) confirm the fix in dom-expressions version 0.39.5, recommending that all users upgrade immediately. No workarounds are available.

EU & UK References

Vulnerability details

dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag…

more

from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The XSS vulnerability enables remote exploitation of public-facing web applications (T1190) to inject and execute arbitrary JavaScript in the victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40568Shared CWE-116, CWE-79
CVE-2025-27109Shared CWE-116, CWE-79
CVE-2026-27013Shared CWE-116, CWE-79
CVE-2026-26027Shared CWE-116, CWE-79
CVE-2026-32754Shared CWE-116, CWE-79
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79

Affected Assets

ryansolid
dom expressions
≤ 0.39.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the specific flaw in dom-expressions via patching to version 0.39.5, eliminating the unsafe .replace() vulnerability.

prevent

Requires filtering of information output during HTML header injection, such as meta tags, to neutralize special replacement patterns like $' or $` and prevent XSS.

prevent

Enforces validation of user-controlled inputs populating meta tag attributes to reject or sanitize malicious payloads exploiting .replace() patterns before insertion.

References