Reflected XSS vulnerability when rendering error messages in laminas-form
Description
In laminas-form prior to 3.1.1, the formElementErrors() view helper did not escape validation error messages, allowing reflected XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In laminas-form prior to 3.1.1, the `formElementErrors()` view helper did not escape validation error messages, allowing reflected XSS.
Vulnerability
laminas-form, a PHP package for validating and displaying forms, contains a reflected cross-site scripting (XSS) vulnerability in the formElementErrors() view helper. When rendering validation error messages, many messages include the submitted value. In affected versions, the value was not escaped for HTML contexts, enabling an attacker to inject arbitrary HTML or JavaScript. The vulnerability affects versions prior to 2.17.1, 3.0.0 through 3.0.1, and 3.1.0. The fix is available in versions 2.17.1, 3.0.2, and 3.1.1 [1][4].
Exploitation
An attacker can exploit this vulnerability by submitting a crafted input value containing malicious HTML or JavaScript as part of a form. When the form validation fails and the formElementErrors() view helper is used to display error messages, the unescaped payload is rendered in the browser. The attacker does not require authentication or write access, and the attack is reflected (the payload is executed in the context of the victim's session). No race window or special timing is needed [1][4].
Impact
Successful exploitation leads to reflected cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, cookie theft, or other client-side attacks. The impact is limited by the context in which the form is rendered, but generally allows the attacker to act on behalf of the victim within the same web application [1][4].
Mitigation
The vulnerability has been patched in laminas-form versions 2.17.1, 3.0.2, and 3.1.1, released on 2022-01-28 [1][2][4]. Users should update immediately. For versions prior to 3.1.0, a workaround exists: manually escape error messages by placing a closure at the top of the view script before calling formElementErrors(). The closure uses escapeHtml() on each message. Example code is available in the security advisory [4]. This CVE is not currently listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laminas/laminas-formPackagist | >= 3.1.0, < 3.1.1 | 3.1.1 |
laminas/laminas-formPackagist | >= 3.0.0, < 3.0.2 | 3.0.2 |
laminas/laminas-formPackagist | < 2.17.1 | 2.17.1 |
Affected products
2- Range: < 3.1.1
Patches
143005a3ec4c2Merge pull request from GHSA-jq4p-mq33-w375
3 files changed · +30 −1
composer.json+5 −1 modified@@ -54,7 +54,11 @@ "laminas/laminas-view": "^2.14, required for using the laminas-form view helpers" }, "config": { - "sort-packages": true + "sort-packages": true, + "allow-plugins": { + "composer/package-versions-deprecated": true, + "dealerdirect/phpcodesniffer-composer-installer": true + } }, "extra": { "laminas": {
src/View/Helper/FormElementErrors.php+7 −0 modified@@ -9,6 +9,7 @@ use function array_merge; use function array_walk_recursive; +use function count; use function implode; use function sprintf; @@ -77,6 +78,12 @@ public function render(ElementInterface $element, array $attributes = []): strin $attributes = ' ' . $attributes; } + $count = count($messages); + $escaper = $this->getEscapeHtmlHelper(); + for ($i = 0; $i < $count; $i += 1) { + $messages[$i] = $escaper($messages[$i]); + } + // Generate markup $markup = sprintf($this->getMessageOpenFormat(), $attributes); $markup .= implode($this->getMessageSeparatorString(), $messages);
test/View/Helper/FormElementErrorsTest.php+18 −0 modified@@ -222,4 +222,22 @@ public function testCallingTheHelperToRenderInvokeCanReturnObject(): void $helper = $this->helper; $this->assertEquals($helper(), $helper); } + + public function testHtmlEscapingOfMessages(): void + { + $messages = [ + [ + '<span>First validator message</span>', + '<span>Second validator first message</span>', + '<span>Second validator second message</span>', + ], + ]; + $element = new Element('foo'); + $element->setMessages($messages); + + $markup = $this->helper->render($element); + + $this->assertStringNotContainsString('<span>', $markup); + $this->assertStringNotContainsString('</span>', $markup); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-jq4p-mq33-w375ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CFF6WJ5I7PSEBRF6I753WKE2BXFBGQXE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLNABVK26CE4PFL57VLY242FW3QY4CPC/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-23598ghsaADVISORY
- getlaminas.org/security/advisory/LP-2022-01ghsax_refsource_MISCWEB
- github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37ghsax_refsource_MISCWEB
- github.com/laminas/laminas-form/releases/tag/2.17.1ghsaWEB
- github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFF6WJ5I7PSEBRF6I753WKE2BXFBGQXEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLNABVK26CE4PFL57VLY242FW3QY4CPCghsaWEB
News mentions
0No linked articles in our index yet.