High severityNVD Advisory· Published Feb 21, 2025· Updated Feb 24, 2025
Cross-site Scripting vulnerability due to improper use of string.replace in dom-expressions
CVE-2025-27108
Description
dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's .replace() opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with $. Particularly, when the attributes of Meta tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either $' or $\ to achieve XSS. The solid-meta package has this issue since it uses useAffect and context providers, which injects the used assets in the html header. "dom-expressions" uses .replace() to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing .replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting vulnerability in dom-expressions arises from unsafe use of JavaScript's .replace() with special replacement patterns, enabling arbitrary JS injection through user-controlled asset attributes like Meta tags.
Root
Cause
A cross-site scripting (XSS) vulnerability exists in the dom-expressions library due to improper use of JavaScript's .replace() method when injecting assets into HTML. The .replace() function interprets special replacement patterns beginning with $, such as $' (which inserts the portion of the string that follows the matched substring) and $ (which inserts the portion before the match). When the attributes of asset tags (e.g., Meta tags from solid-meta) contain user-controlled data, an attacker can craft a payload that leverages these replacement patterns to execute arbitrary scripts. The solid-meta package triggers the injection of assets into the HTML header via context providers and useAffect, passing user-supplied attribute values into the vulnerable .replace()` call [1][4].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted string in a user-controlled attribute of a Meta tag, such as an Open Graph property on a user profile page. The payload uses the $' or $` special pattern to break out of the intended replacement string and inject arbitrary JavaScript into the rendered HTML. No authentication is required if the attacker can control the attribute value (e.g., via a query parameter or stored data). The attack is server-side during SSR or streaming rendering, and it can be stored persistently if the malicious attribute is saved and served to other users [1][4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser when the page is rendered. This can lead to session hijacking, theft of sensitive data, defacement, or further compromise of the user's session. Because the injection occurs at the HTML-rendering stage, it can affect both direct visitors and users who view stored content, potentially leading to widespread impact [1][4].
Mitigation
The issue is patched in dom-expressions version 0.39.5, where the vulnerable .replace() calls are replaced with safe string concatenation (using slice) and the escape function is applied to asset content [3]. All users should upgrade to the latest version. No workarounds are available, so patching is essential [1].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dom-expressionsnpm | < 0.39.5 | 0.39.5 |
Affected products
2- Range: <0.39.5
- ryansolid/dom-expressionsv5Range: < 0.39.5
Patches
1521f75dfa89eavoid vulnerability in string.replace
3 files changed · +26 −226
packages/dom-expressions/src/server.js+5 −6 modified@@ -154,10 +154,7 @@ export function renderToStream(code, options = {}) { const first = html.indexOf(placeholder); if (first === -1) return; const last = html.indexOf(`<!--!$/${id}-->`, first + placeholder.length); - html = html.replace( - html.slice(first, last + placeholder.length + 1), - resolveSSRNode(payloadFn()) - ); + html = html.slice(0, first) + resolveSSRNode(escape(payloadFn())) + html.slice(last + placeholder.length + 1); }, serialize(id, p, wait) { const serverOnly = sharedConfig.context.noHydrate; @@ -513,7 +510,7 @@ export function getHydrationKey() { } export function useAssets(fn) { - sharedConfig.context.assets.push(() => resolveSSRNode(fn())); + sharedConfig.context.assets.push(() => resolveSSRNode(escape(fn()))); } export function getAssets() { @@ -567,7 +564,9 @@ function injectAssets(assets, html) { if (!assets || !assets.length) return html; let out = ""; for (let i = 0, len = assets.length; i < len; i++) out += assets[i](); - return html.replace(`</head>`, out + `</head>`); + const index = html.indexOf("</head>"); + if (index === -1) return html; + return html.slice(0, index) + out + html.slice(index); } function injectScripts(html, scripts, nonce) {
packages/dom-expressions/test/ssr/ssr.spec.js+1 −1 modified@@ -75,7 +75,7 @@ const Comp2 = () => { const Comp3 = () => { const greeting = "Hello", name = "<div/>"; - r.useAssets(() => `<link rel="modulepreload" href="chunk.js">`) + r.useAssets(() => r.ssr`<link rel="modulepreload" href="chunk.js">`) return r.ssr`<span> ${r.escape(greeting)} ${r.escape(name)}${r.HydrationScript()}${r.getAssets()}</span>`; };
pnpm-lock.yaml+20 −219 modified@@ -92,9 +92,6 @@ importers: html-entities: specifier: 2.3.3 version: 2.3.3 - jest-diff: - specifier: ^29.7.0 - version: 29.7.0 parse5: specifier: ^7.1.2 version: 7.1.2 @@ -119,8 +116,8 @@ importers: version: 2.3.0 devDependencies: babel-plugin-jsx-dom-expressions: - specifier: ^0.39.0 - version: 0.39.0(@babel/core@7.20.12) + specifier: ^0.39.3 + version: 0.39.3(@babel/core@7.20.12) csstype: specifier: ^3.1 version: 3.1.1 @@ -134,14 +131,14 @@ importers: packages/hyper-dom-expressions: devDependencies: dom-expressions: - specifier: ^0.39.1 - version: 0.39.1(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0) + specifier: ^0.39.4 + version: 0.39.4(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0) packages/lit-dom-expressions: devDependencies: dom-expressions: - specifier: ^0.39.1 - version: 0.39.1(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0) + specifier: ^0.39.4 + version: 0.39.4(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0) html-parse-string: specifier: ^0.0.9 version: 0.0.9 @@ -1506,10 +1503,6 @@ packages: resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==} engines: {node: '>= 6.0.0'} - agent-base@7.1.1: - resolution: {integrity: sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==} - engines: {node: '>= 14'} - agentkeepalive@4.2.1: resolution: {integrity: sha512-Zn4cw2NEqd+9fiSVWMscnjyQ1a8Yfoc5oBajLeo5w+YBHgDUcEBY2hS4YpTz6iN5f/2zQiktcuM6tS8x1p9dpA==} engines: {node: '>= 8.0.0'} @@ -1625,8 +1618,8 @@ packages: resolution: {integrity: sha512-TnspP2WNiR3GLfCsUNHqeXw0RoQ2f9U5hQ5L3XFpwuO8htQmSrhh8qsB6vi5Yi8+kuynN1yjDjQsPfkebmB6ZA==} engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} - babel-plugin-jsx-dom-expressions@0.39.0: - resolution: {integrity: sha512-PXMD+aFTw+pZaVsNRhxGkVMjscCMmHAwLlNbMj0PG/9Uj3tFR4+ZHjg4RDRSydXiDL0Xoacpoxhc5GiYS6yd6Q==} + babel-plugin-jsx-dom-expressions@0.39.3: + resolution: {integrity: sha512-6RzmSu21zYPlV2gNwzjGG9FgODtt9hIWnx7L//OIioIEuRcnpDZoY8Tr+I81Cy1SrH4qoDyKpwHHo6uAMAeyPA==} peerDependencies: '@babel/core': ^7.20.12 @@ -1951,10 +1944,6 @@ packages: resolution: {integrity: sha512-AZL67abkUzIuvcHqk7c09cezpGNcxUxU4Ioi/05xHk4DQeTkWmGYftIE6ctU6AEt+Gn4n1lDStOtj7FKycP71A==} engines: {node: '>=8'} - cssstyle@4.1.0: - resolution: {integrity: sha512-h66W1URKpBS5YMI/V8PyXvTMFT8SupJ1IzoIV8IeBC/ji8WVmrO8dGlTi+2dh6whmdk6BiKJLD/ZBkhWbcg6nA==} - engines: {node: '>=18'} - csstype@3.1.1: resolution: {integrity: sha512-DJR/VvkAvSZW9bTouZue2sSxDwdTN92uHjqeKVm+0dAqdfNykRzQ95tay8aXMBAAPpUiq4Qcug2L7neoRh2Egw==} @@ -1970,10 +1959,6 @@ packages: resolution: {integrity: sha512-Jy/tj3ldjZJo63sVAvg6LHt2mHvl4V6AgRAmNDtLdm7faqtsx+aJG42rsyCo9JCoRVKwPFzKlIPx3DIibwSIaQ==} engines: {node: '>=12'} - data-urls@5.0.0: - resolution: {integrity: sha512-ZYP5VBHshaDAiVZxjbRVcFJpc+4xGgT0bK3vzy1HLN8jTO975HEbuYzZJcHoQEY5K1a0z8YayJkyVETa08eNTg==} - engines: {node: '>=18'} - dateformat@3.0.3: resolution: {integrity: sha512-jyCETtSl3VMZMWeRo7iY1FL19ges1t55hMo5yaam4Jrsm5EPL89UQkoQRyiI+Yf4k8r2ZpdngkV8hr1lIdjb3Q==} @@ -2055,8 +2040,8 @@ packages: resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==} engines: {node: '>=8'} - dom-expressions@0.39.1: - resolution: {integrity: sha512-zqbx0PQl8O6/g4kdSfWVpeMCmWnoqCbp71WLV67R9KAMG9eRt7DsmRYbAwe7q6sJ2I1SwH7Ruts4CTL1oFIT1A==} + dom-expressions@0.39.4: + resolution: {integrity: sha512-dIumf1IVt6KWfysMMp2KkVSnOi9JGNt4qzJnYT4V5At+xguAsbv1ByN4w+e8tTlq1EuwkizEWnG9YRi9PfGJXQ==} peerDependencies: csstype: ^3.0 seroval: ^1.1.0 @@ -2423,10 +2408,6 @@ packages: resolution: {integrity: sha512-oWv4T4yJ52iKrufjnyZPkrN0CH3QnrUqdB6In1g5Fe1mia8GmF36gnfNySxoZtxD5+NmYw1EElVXiBk93UeskA==} engines: {node: '>=12'} - html-encoding-sniffer@4.0.0: - resolution: {integrity: sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==} - engines: {node: '>=18'} - html-entities@2.3.3: resolution: {integrity: sha512-DV5Ln36z34NNTDgnz0EWGBLZENelNAtkiFA4kyNOG2tDI6Mz1uSWiq1wAKdyjnJwyDiDO7Fa2SO1CTxPXL8VxA==} @@ -2443,10 +2424,6 @@ packages: resolution: {integrity: sha512-n2hY8YdoRE1i7r6M0w9DIw5GgZN0G25P8zLCRQ8rjXtTU3vsNFBI/vWK/UIeE6g5MUUz6avwAPXmL6Fy9D/90w==} engines: {node: '>= 6'} - http-proxy-agent@7.0.2: - resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==} - engines: {node: '>= 14'} - http-signature@1.2.0: resolution: {integrity: sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==} engines: {node: '>=0.8', npm: '>=1.3.7'} @@ -2455,10 +2432,6 @@ packages: resolution: {integrity: sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==} engines: {node: '>= 6'} - https-proxy-agent@7.0.5: - resolution: {integrity: sha512-1e4Wqeblerz+tMKPIq2EMGiiWW1dIjZOksyHWSUm1rmuvw/how9hBHZ38lAGj5ID4Ik6EdkOw7NmWPy6LAwalw==} - engines: {node: '>= 14'} - human-signals@2.1.0: resolution: {integrity: sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==} engines: {node: '>=10.17.0'} @@ -2848,15 +2821,6 @@ packages: canvas: optional: true - jsdom@25.0.1: - resolution: {integrity: sha512-8i7LzZj7BF8uplX+ZyOlIz86V6TAsSs+np6m1kpW9u0JWi4z/1t+FzcK1aek+ybTnAC4KhBL4uXCNT0wcUIeCw==} - engines: {node: '>=18'} - peerDependencies: - canvas: ^2.11.2 - peerDependenciesMeta: - canvas: - optional: true - jsesc@0.5.0: resolution: {integrity: sha512-uZz5UnB7u4T9LvwmFqXii7pZSouaRPorGs5who1Ip7VO0wxanFvBL7GkM6dTHlgX+jhBApRetaWpnDabOeTcnA==} hasBin: true @@ -3241,9 +3205,6 @@ packages: engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0} deprecated: This package is no longer supported. - nwsapi@2.2.12: - resolution: {integrity: sha512-qXDmcVlZV4XRtKFzddidpfVP4oMSGhga+xdMc25mv8kaLUHtgzCDhUxkrN8exkGdTlLNaXj7CV3GtON7zuGZ+w==} - nwsapi@2.2.2: resolution: {integrity: sha512-90yv+6538zuvUMnN+zCr8LuV6bPFdq50304114vJYJ8RDyK8D5O9Phpbd6SZWgI7PwzmmfN1upeOJlvybDSgCw==} @@ -3505,10 +3466,6 @@ packages: resolution: {integrity: sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==} engines: {node: '>=6'} - punycode@2.3.1: - resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==} - engines: {node: '>=6'} - q@1.5.1: resolution: {integrity: sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==} engines: {node: '>=0.6.0', teleport: '>=0.2.0'} @@ -3673,9 +3630,6 @@ packages: engines: {node: '>=14.18.0', npm: '>=8.0.0'} hasBin: true - rrweb-cssom@0.7.1: - resolution: {integrity: sha512-TrEMa7JGdVm0UThDJSx7ddw5nVm3UJS9o9CCIZ72B1vSyEZoziDqBYP3XIoi/12lKrJR8rE3jeFHMok2F/Mnsg==} - run-async@2.4.1: resolution: {integrity: sha512-tvVnVv01b8c1RrA6Ep7JkStj85Guv/YrMcwqYQnwjsAS2cTmmPGBBjAjpCW7RrSodNSoE2/qg9O4bceNvUuDgQ==} engines: {node: '>=0.12.0'} @@ -3915,13 +3869,6 @@ packages: through@2.3.8: resolution: {integrity: sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg==} - tldts-core@6.1.47: - resolution: {integrity: sha512-6SWyFMnlst1fEt7GQVAAu16EGgFK0cLouH/2Mk6Ftlwhv3Ol40L0dlpGMcnnNiiOMyD2EV/aF3S+U2nKvvLvrA==} - - tldts@6.1.47: - resolution: {integrity: sha512-R/K2tZ5MiY+mVrnSkNJkwqYT2vUv1lcT6wJvd2emGaMJ7PHUGRY4e3tUsdFCXgqxi2QgbHjL3yJgXCo40v9Hxw==} - hasBin: true - tmp@0.0.33: resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==} engines: {node: '>=0.6.0'} @@ -3949,21 +3896,13 @@ packages: resolution: {integrity: sha512-G9fqXWoYFZgTc2z8Q5zaHy/vJMjm+WV0AkAeHxVCQiEB1b+dGvWzFW6QV07cY5jQ5gRkeid2qIkzkxUnmoQZUQ==} engines: {node: '>=6'} - tough-cookie@5.0.0: - resolution: {integrity: sha512-FRKsF7cz96xIIeMZ82ehjC3xW2E+O2+v11udrDYewUbszngYhsGa8z6YUMMzO9QJZzzyd0nGGXnML/TReX6W8Q==} - engines: {node: '>=16'} - tr46@0.0.3: resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==} tr46@3.0.0: resolution: {integrity: sha512-l7FvfAHlcmulp8kr+flpQZmVwtu7nfRV7NZujtN0OqES8EL4O4e0qqzL0DC5gAvx/ZC/9lk6rhcUwYvkBnBnYA==} engines: {node: '>=12'} - tr46@5.0.0: - resolution: {integrity: sha512-tk2G5R2KRwBd+ZN0zaEXpmzdKyOYksXwywulIX95MBODjSzMIuQnQ3m8JxgbhnL1LeVo7lqQKsYa1O3Htl7K5g==} - engines: {node: '>=18'} - treeverse@2.0.0: resolution: {integrity: sha512-N5gJCkLu1aXccpOTtqV6ddSEi6ZmGkh3hjmbu1IjcavJK4qyOVQmi0myQKM7z5jVGmD68SJoliaVrMmVObhj6A==} engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0} @@ -4125,10 +4064,6 @@ packages: resolution: {integrity: sha512-d+BFHzbiCx6zGfz0HyQ6Rg69w9k19nviJspaj4yNscGjrHu94sVP+aRm75yEbCh+r2/yR+7q6hux9LVtbuTGBw==} engines: {node: '>=14'} - w3c-xmlserializer@5.0.0: - resolution: {integrity: sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==} - engines: {node: '>=18'} - walk-up-path@1.0.0: resolution: {integrity: sha512-hwj/qMDUEjCU5h0xr90KGCf0tg0/LgJbmOWgrWKYlcJZM7XvquvUJZ0G/HMGr7F7OQMOUuPHWP9JpriinkAlkg==} @@ -4149,26 +4084,14 @@ packages: resolution: {integrity: sha512-p41ogyeMUrw3jWclHWTQg1k05DSVXPLcVxRTYsXUk+ZooOCZLcoYgPZ/HL/D/N+uQPOtcp1me1WhBEaX02mhWg==} engines: {node: '>=12'} - whatwg-encoding@3.1.1: - resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==} - engines: {node: '>=18'} - whatwg-mimetype@3.0.0: resolution: {integrity: sha512-nt+N2dzIutVRxARx1nghPKGv1xHikU7HKdfafKkLNLindmPU/ch3U31NOCGGA/dmPcmb1VlofO0vnKAcsm0o/Q==} engines: {node: '>=12'} - whatwg-mimetype@4.0.0: - resolution: {integrity: sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==} - engines: {node: '>=18'} - whatwg-url@11.0.0: resolution: {integrity: sha512-RKT8HExMpoYx4igMiVMY83lN6UeITKJlBQ+vR/8ZJ8OCdSiN3RwCq+9gH0+Xzj0+5IrM6i4j/6LuvzbZIQgEcQ==} engines: {node: '>=12'} - whatwg-url@14.0.0: - resolution: {integrity: sha512-1lfMEm2IEr7RIV+f4lUNPOqfFL+pO+Xw3fJSqmjX9AbXcXcYOkCe1P6+9VBZB6n94af16NfZf+sSk0JCBZC9aw==} - engines: {node: '>=18'} - whatwg-url@5.0.0: resolution: {integrity: sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==} @@ -4228,26 +4151,10 @@ packages: utf-8-validate: optional: true - ws@8.18.0: - resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==} - engines: {node: '>=10.0.0'} - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: '>=5.0.2' - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - xml-name-validator@4.0.0: resolution: {integrity: sha512-ICP2e+jsHvAj2E2lIHxa5tjXRlKDJo4IdvPvCXbXQGdzSfmSpNVyIKMvoZHjDY9DP0zV17iI85o90vRFXNccRw==} engines: {node: '>=12'} - xml-name-validator@5.0.0: - resolution: {integrity: sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==} - engines: {node: '>=18'} - xmlchars@2.2.0: resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==} @@ -4333,7 +4240,7 @@ snapshots: '@babel/generator@7.20.7': dependencies: - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 '@jridgewell/gen-mapping': 0.3.2 jsesc: 2.5.2 @@ -4437,7 +4344,7 @@ snapshots: '@babel/helper-validator-identifier': 7.19.1 '@babel/template': 7.20.7 '@babel/traverse': 7.23.2 - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 transitivePeerDependencies: - supports-color @@ -4507,7 +4414,7 @@ snapshots: dependencies: '@babel/template': 7.20.7 '@babel/traverse': 7.23.2 - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 transitivePeerDependencies: - supports-color @@ -4525,7 +4432,7 @@ snapshots: '@babel/parser@7.20.7': dependencies: - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 '@babel/parser@7.23.0': dependencies: @@ -4859,7 +4766,7 @@ snapshots: '@babel/helper-hoist-variables': 7.18.6 '@babel/helper-module-transforms': 7.20.11 '@babel/helper-plugin-utils': 7.20.2 - '@babel/helper-validator-identifier': 7.19.1 + '@babel/helper-validator-identifier': 7.22.20 transitivePeerDependencies: - supports-color @@ -5044,7 +4951,7 @@ snapshots: '@babel/helper-plugin-utils': 7.20.2 '@babel/plugin-proposal-unicode-property-regex': 7.18.6(@babel/core@7.20.12) '@babel/plugin-transform-dotall-regex': 7.18.6(@babel/core@7.20.12) - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 esutils: 2.0.3 '@babel/preset-typescript@7.18.6(@babel/core@7.20.12)': @@ -5064,7 +4971,7 @@ snapshots: dependencies: '@babel/code-frame': 7.18.6 '@babel/parser': 7.20.7 - '@babel/types': 7.20.7 + '@babel/types': 7.23.0 '@babel/template@7.22.15': dependencies: @@ -6260,12 +6167,6 @@ snapshots: transitivePeerDependencies: - supports-color - agent-base@7.1.1: - dependencies: - debug: 4.3.4 - transitivePeerDependencies: - - supports-color - agentkeepalive@4.2.1: dependencies: debug: 4.3.4 @@ -6388,21 +6289,15 @@ snapshots: '@types/babel__core': 7.20.5 '@types/babel__traverse': 7.18.3 - babel-plugin-jsx-dom-expressions@0.39.0(@babel/core@7.20.12): + babel-plugin-jsx-dom-expressions@0.39.3(@babel/core@7.20.12): dependencies: '@babel/core': 7.20.12 '@babel/helper-module-imports': 7.18.6 '@babel/plugin-syntax-jsx': 7.18.6(@babel/core@7.20.12) '@babel/types': 7.23.0 html-entities: 2.3.3 - jest-diff: 29.7.0 - jsdom: 25.0.1 + parse5: 7.1.2 validate-html-nesting: 1.2.1 - transitivePeerDependencies: - - bufferutil - - canvas - - supports-color - - utf-8-validate babel-plugin-polyfill-corejs2@0.3.3(@babel/core@7.20.12): dependencies: @@ -6798,10 +6693,6 @@ snapshots: dependencies: cssom: 0.3.8 - cssstyle@4.1.0: - dependencies: - rrweb-cssom: 0.7.1 - csstype@3.1.1: {} dargs@7.0.0: {} @@ -6816,11 +6707,6 @@ snapshots: whatwg-mimetype: 3.0.0 whatwg-url: 11.0.0 - data-urls@5.0.0: - dependencies: - whatwg-mimetype: 4.0.0 - whatwg-url: 14.0.0 - dateformat@3.0.3: {} debug@4.3.4: @@ -6875,7 +6761,7 @@ snapshots: dependencies: path-type: 4.0.0 - dom-expressions@0.39.1(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0): + dom-expressions@0.39.4(csstype@3.1.1)(seroval-plugins@1.1.0(seroval@1.1.0))(seroval@1.1.0): dependencies: babel-plugin-transform-rename-import: 2.3.0 csstype: 3.1.1 @@ -7248,10 +7134,6 @@ snapshots: dependencies: whatwg-encoding: 2.0.0 - html-encoding-sniffer@4.0.0: - dependencies: - whatwg-encoding: 3.1.1 - html-entities@2.3.3: {} html-escaper@2.0.2: {} @@ -7268,13 +7150,6 @@ snapshots: transitivePeerDependencies: - supports-color - http-proxy-agent@7.0.2: - dependencies: - agent-base: 7.1.1 - debug: 4.3.4 - transitivePeerDependencies: - - supports-color - http-signature@1.2.0: dependencies: assert-plus: 1.0.0 @@ -7288,13 +7163,6 @@ snapshots: transitivePeerDependencies: - supports-color - https-proxy-agent@7.0.5: - dependencies: - agent-base: 7.1.1 - debug: 4.3.4 - transitivePeerDependencies: - - supports-color - human-signals@2.1.0: {} humanize-ms@1.2.1: @@ -7905,34 +7773,6 @@ snapshots: - supports-color - utf-8-validate - jsdom@25.0.1: - dependencies: - cssstyle: 4.1.0 - data-urls: 5.0.0 - decimal.js: 10.4.3 - form-data: 4.0.0 - html-encoding-sniffer: 4.0.0 - http-proxy-agent: 7.0.2 - https-proxy-agent: 7.0.5 - is-potential-custom-element-name: 1.0.1 - nwsapi: 2.2.12 - parse5: 7.1.2 - rrweb-cssom: 0.7.1 - saxes: 6.0.0 - symbol-tree: 3.2.4 - tough-cookie: 5.0.0 - w3c-xmlserializer: 5.0.0 - webidl-conversions: 7.0.0 - whatwg-encoding: 3.1.1 - whatwg-mimetype: 4.0.0 - whatwg-url: 14.0.0 - ws: 8.18.0 - xml-name-validator: 5.0.0 - transitivePeerDependencies: - - bufferutil - - supports-color - - utf-8-validate - jsesc@0.5.0: {} jsesc@2.5.2: {} @@ -8391,8 +8231,6 @@ snapshots: gauge: 4.0.4 set-blocking: 2.0.0 - nwsapi@2.2.12: {} - nwsapi@2.2.2: {} nx@15.4.5: @@ -8672,8 +8510,6 @@ snapshots: punycode@2.1.1: {} - punycode@2.3.1: {} - q@1.5.1: {} qs@6.5.3: {} @@ -8857,8 +8693,6 @@ snapshots: optionalDependencies: fsevents: 2.3.2 - rrweb-cssom@0.7.1: {} - run-async@2.4.1: {} run-parallel@1.2.0: @@ -9090,12 +8924,6 @@ snapshots: through@2.3.8: {} - tldts-core@6.1.47: {} - - tldts@6.1.47: - dependencies: - tldts-core: 6.1.47 - tmp@0.0.33: dependencies: os-tmpdir: 1.0.2 @@ -9124,20 +8952,12 @@ snapshots: universalify: 0.2.0 url-parse: 1.5.10 - tough-cookie@5.0.0: - dependencies: - tldts: 6.1.47 - tr46@0.0.3: {} tr46@3.0.0: dependencies: punycode: 2.1.1 - tr46@5.0.0: - dependencies: - punycode: 2.3.1 - treeverse@2.0.0: {} trim-newlines@3.0.1: {} @@ -9266,10 +9086,6 @@ snapshots: dependencies: xml-name-validator: 4.0.0 - w3c-xmlserializer@5.0.0: - dependencies: - xml-name-validator: 5.0.0 - walk-up-path@1.0.0: {} walker@1.0.8: @@ -9288,24 +9104,13 @@ snapshots: dependencies: iconv-lite: 0.6.3 - whatwg-encoding@3.1.1: - dependencies: - iconv-lite: 0.6.3 - whatwg-mimetype@3.0.0: {} - whatwg-mimetype@4.0.0: {} - whatwg-url@11.0.0: dependencies: tr46: 3.0.0 webidl-conversions: 7.0.0 - whatwg-url@14.0.0: - dependencies: - tr46: 5.0.0 - webidl-conversions: 7.0.0 - whatwg-url@5.0.0: dependencies: tr46: 0.0.3 @@ -9375,12 +9180,8 @@ snapshots: ws@8.12.0: {} - ws@8.18.0: {} - xml-name-validator@4.0.0: {} - xml-name-validator@5.0.0: {} - xmlchars@2.2.0: {} xtend@4.0.2: {}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-hw62-58pr-7wc5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27108ghsaADVISORY
- github.com/ryansolid/dom-expressions/commit/521f75dfa89ed24161646e7007d9d7d21da07767ghsax_refsource_MISCWEB
- github.com/ryansolid/dom-expressions/security/advisories/GHSA-hw62-58pr-7wc5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.