CVE-2024-41677
Qwik has a potential mXSS vulnerability due to improper HTML escaping
Description
### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `"` - `&` -> `&` - Other characters -> No conversion - Otherwise: - `<` -> `<` - `>` -> `>` - `&` -> `&` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input const { url } = useLocation(); const href = url.searchParams.get("href") ?? "https://example.com"; return ( <div> <noscript> <a href={href}>test</a> </noscript> </div> ); }); ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS
How to fix CVE-2024-41677
To remediate CVE-2024-41677, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.3 or later
Is CVE-2024-41677 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.7.3