CVE-2024-41677 – @builder.io/qwik

Package

Manager: npm
Name: @builder.io/qwik
Vulnerable Version: >=0 <1.7.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.0021 pctl0.43474

Details

Qwik has a potential mXSS vulnerability due to improper HTML escaping ### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input const { url } = useLocation(); const href = url.searchParams.get("href") ?? "https://example.com"; return ( <div> <noscript> <a href={href}>test</a> </noscript> </div> ); }); ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS

Metadata

Created: 2024-08-06T18:24:47Z
Modified: 2024-08-06T18:55:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-2rwj-7xq8-4gx4/GHSA-2rwj-7xq8-4gx4.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2rwj-7xq8-4gx4
Finding: F425
Auto approve: 1