Reflected cross-site scripting (XSS) In @grackle-ai/server
Description
@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template
Impact
The renderPairingPage() function embeds the error parameter directly into HTML without escaping:
const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";
All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.
The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.
Affected code:
packages/server/src/index.ts:64-89 — renderPairingPage() with unescaped error interpolation
Compare: packages/server/src/index.ts:130 — renderAuthorizePage() correctly uses escapeHtml()
Patches
v0.70.1
Fix: Apply escapeHtml() to the error parameter:
const errorHtml = error ? `<p style="color:#e74c3c">${escapeHtml(error)}</p>` : "";
Workarounds
No workaround needed — all current callers pass hardcoded strings.
Resources
CWE-79: Improper Neutralization of Input During Web Page Generation
File: packages/server/src/index.ts
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 0.70.1 |
Aliases
References