Slim Select 2.0 createOption "text" XSS
Description
Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Slim Select 2.0 through 2.9.0 uses unsanitized innerHTML in createOption(), enabling stored XSS via user-supplied text.
Vulnerability
Overview
CVE-2024-9440 is a cross-site scripting (XSS) vulnerability in the Slim Select library, versions 2.0 through 2.9.0. The flaw resides in the createOption() function inside select.ts, where the text property from a user-provided Options object is directly assigned to innerHTML without any sanitization [1][3]. This allows an attacker to inject arbitrary HTML and JavaScript into the document when the library processes unsanitized input to dynamically generate option lists.
Exploitation
To exploit the vulnerability, an application must pass unsanitized user-controlled data as part of the Options object when creating a Slim Select instance. The attacker does not need prior authentication to the library itself, but the attack surface depends on how the consuming application handles user input. For example, if an application takes user names or tags and directly includes them in the data array used by Slim Select, an attacker can embed malicious scripts into the text field [2][4]. The XSS payload executes when the library inserts the option into the DOM.
Impact
Successful exploitation leads to stored or reflected cross-site scripting, depending on how the input is persisted. An attacker can execute arbitrary JavaScript in the context of the user's browser, potentially stealing session cookies, defacing the page, or performing actions on behalf of the victim [3]. The vulnerability affects any web application that relies on Slim Select to render user-generated lists without prior sanitization.
Mitigation
As of the publication date, no official patched version of Slim Select has been released. A pull request (#572) exists on the GitHub repository that replaces the vulnerable innerHTML assignment with textContent, which would prevent XSS by treating the input as plain text [1]. Until a new version is published, developers should sanitize all user input before passing it to Slim Select, or consider using an alternative library that safely handles HTML content. The CVE has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slim-selectnpm | >= 2.0.0, < 2.9.2 | 2.9.2 |
Affected products
1- Range: v0.1.0, v0.10.0, v0.11.0, …
Patches
1f8534f27d6e9Merge pull request #572 from Shoplifter/master
2 files changed · +16 −1
src/slim-select/select.ts+1 −1 modified@@ -374,7 +374,7 @@ export default class Select { const optionEl = document.createElement('option') optionEl.id = info.id optionEl.value = info.value - optionEl.innerHTML = info.text + optionEl.textContent = info.text if (info.html !== '') { optionEl.setAttribute('data-html', info.html) }
src/slim-select/settings.test.ts+15 −0 modified@@ -195,6 +195,21 @@ describe('Settings module', () => { expect(optionElement.dataset.html).toBe(option.html) }) + test('malicious text is inserted with innerText', () => { + // decoded text: <img src=x onerror=alert(1)></img> + const str = '<img src=x onerror=alert(1)></img>' + // const str = 'opt' + const decode = (string: string|null) => { + if(string === null) return '' + const doc = new DOMParser().parseFromString(string, "text/html") + return doc.documentElement.textContent; + } + const option = new Option({ text: str }) + const optionElement = select.createOption(option) + // expect(decode(optionElement.textContent)).toBe('opt') + expect(optionElement.textContent).toBe(str) + }) + test('disabled sets disabled property correctly', () => { const option = new Option({ text: 'opt', disabled: true }) const optionElement = select.createOption(option)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-qvqv-mcxr-x8qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-9440ghsaADVISORY
- vulncheck.com/advisories/slim-select-xssghsathird-party-advisoryWEB
- github.com/brianvoe/slim-select/blob/e7e37e2ff90e125f846bd98d6b8f278524ead79e/src/slim-select/select.tsghsax_vulnerable-codeWEB
- github.com/brianvoe/slim-select/commit/f8534f27d6e9bab89024d139f1c4f7555f1efd5eghsaWEB
- github.com/brianvoe/slim-select/issues/564ghsaissue-trackingWEB
- github.com/brianvoe/slim-select/pull/572ghsaWEB
News mentions
0No linked articles in our index yet.