Cross-site Scripting (XSS)
Description
hellojs before 1.18.6 has a reflected XSS vulnerability via the oauth_redirect parameter, which is passed to location.assign without sanitization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
hellojs before 1.18.6 has a reflected XSS vulnerability via the oauth_redirect parameter, which is passed to location.assign without sanitization.
Vulnerability
Overview CVE-2020-7741 is a reflected Cross-Site Scripting (XSS) vulnerability in the hellojs JavaScript library, affecting all versions before 1.18.6. The root cause lies in the function that handles OAuth redirects; it retrieves the oauth_redirect parameter from the URL and passes it directly to location.assign() without any validation or sanitization [1][2]. This means an attacker can supply a malicious value such as javascript:alert(1) in the oauth_redirect parameter, causing the browser to execute attacker-controlled JavaScript in the context of the application.
Exploitation
No authentication is required to exploit this vulnerability. An attacker only needs to craft a URL containing a malicious oauth_redirect value and trick a user into clicking it (or simply loading the URL). The hellojs code does not check whether the parameter is a valid URL or a safe scheme before assigning it to location. As a result, the attacker can inject arbitrary JavaScript payloads [1][2]. The vulnerability is triggered client-side and does not require any special network position beyond the ability to deliver the crafted link to a victim.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the application using hellojs. This can lead to session hijacking, credential theft, defacement, or other malicious actions typically associated with XSS attacks [1][2]. The severity is considered high (CVSS score not provided by NVD, but Snyk and other vendors classify it as a critical XSS vulnerability). Prior to version 1.18.6, any application using hellojs was exposed to this risk.
Mitigation
The issue was fixed in commit d6f5137 by adding a isValidUrl() check before calling location.assign() [3]. Users should upgrade hellojs to version 1.18.6 or later. No workaround is available for earlier versions other than patching or sanitizing the oauth_redirect parameter externally before it reaches the vulnerable code [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hellojsnpm | < 1.18.6 | 1.18.6 |
Affected products
2- hellojs/hellojsdescription
Patches
1d6f5137f30defix(xss): oauth_redirect should be a valid url
1 file changed · +5 −1
src/hello.js+5 −1 modified@@ -1388,8 +1388,12 @@ hello.utils.extend(hello.utils, { // (URI Fragments within 302 Location URI are lost over HTTPS) // Loading the redirect.html before triggering the OAuth Flow seems to fix it. else if ('oauth_redirect' in p) { + var url = decodeURIComponent(p.oauth_redirect); + + if (isValidUrl(url)) { + location.assign(url); + } - location.assign(decodeURIComponent(p.oauth_redirect)); return; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7jh9-6cpf-h4m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7741ghsaADVISORY
- github.com/MrSwitch/hello.js/blob/3b79ec93781b3d7b9c0b56f598e060301d1f3e73/dist/hello.all.js%23L1545ghsax_refsource_MISCWEB
- github.com/MrSwitch/hello.js/commit/d6f5137f30de6e0ef7048191ee6ae575fdc2f669ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-HELLOJS-1014546ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.