Skip to content

HTML Injection in preact

Moderate severity GitHub Reviewed Published Sep 2, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm preact (npm)

Affected versions

>= 10.0.0-alpha.0, <= 10.0.0-beta.0

Patched versions

10.0.0-beta.1

Description

Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization.

Recommendation

Upgrade to version 10.0.0-beta.1.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 2, 2020
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-cg48-9hh2-x6mx

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.