CVE-2025-27108
Published: 21 February 2025
Summary
CVE-2025-27108 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ryansolid Dom Expressions. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the specific flaw in dom-expressions via patching to version 0.39.5, eliminating the unsafe .replace() vulnerability.
Requires filtering of information output during HTML header injection, such as meta tags, to neutralize special replacement patterns like $' or $` and prevent XSS.
Enforces validation of user-controlled inputs populating meta tag attributes to reject or sanitize malicious payloads exploiting .replace() patterns before insertion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The XSS vulnerability enables remote exploitation of public-facing web applications (T1190) to inject and execute arbitrary JavaScript in the victim's browser (T1059.007).
NVD Description
dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag…
more
from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-27108 is a cross-site scripting (XSS) vulnerability in dom-expressions, a fine-grained runtime for performant DOM rendering, stemming from the unsafe use of JavaScript's `.replace()` method with special replacement patterns beginning with `$`, such as `$'` or ``$` ``. This issue particularly affects scenarios involving user-defined attributes in Meta tags managed by the solid-meta package, which leverages `useAffect` and context providers to inject assets into the HTML header. Dom-expressions' `.replace()` implementation during asset insertion fails to sanitize these patterns, enabling XSS when user-controlled data populates asset tag attributes. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote, unauthenticated attackers can exploit this vulnerability by injecting malicious payloads into user-controllable fields that influence Meta tag attributes, such as Open Graph protocol metadata on user profile pages. For example, an attacker could craft a query parameter abusing the `.replace()` patterns to execute arbitrary JavaScript in the victim's browser upon page load. The attack supports both reflected and stored variants, potentially amplifying impact through persistence, allowing theft of session data, cookie manipulation, or further site compromise without requiring user interaction beyond visiting the affected page.
The GitHub security advisory (GHSA-hw62-58pr-7wc5) and related commit (521f75dfa89ed24161646e7007d9d7d21da07767) confirm the fix in dom-expressions version 0.39.5, recommending that all users upgrade immediately. No workarounds are available.
Details
- CWE(s)