Moderate severityNVD Advisory· Published Dec 21, 2022· Updated Apr 16, 2025

Cross-site Scripting (XSS)

CVE-2022-25929

Description

The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
smoothienpm	>= 1.31.0, < 1.36.1	1.36.1

Affected products

smoothie/smoothiedescription
ghsa-coords
pkg:npm/smoothie
Range: >= 1.31.0, < 1.36.1

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g662-qq45-ppwmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25929ghsaADVISORY
github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98ghsaWEB
github.com/joewalnes/smoothie/pull/147ghsaWEB
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369ghsaWEB
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368ghsaWEB
security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000