DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X7MM-9VVV-64W8: GHSA-X7MM-9VVV-64W8: Reflected Cross-Site Scripting in unhead Streaming SSR

#security #cve #cybersecurity #ghsa

GHSA-X7MM-9VVV-64W8: Reflected Cross-Site Scripting in unhead Streaming SSR

Vulnerability ID: GHSA-X7MM-9VVV-64W8
CVSS Score: 8.1
Published: 2026-04-10

The unhead package, specifically its streaming server-side rendering (SSR) functionality, is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability stems from improper validation and unsafe string interpolation of the developer-configurable streamKey property when rendering inline JavaScript payload tags for client-side state hydration.

TL;DR

Reflected XSS in unhead's streaming SSR allows unauthenticated attackers to execute arbitrary JavaScript in the victim's browser via an unvalidated streamKey parameter.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 8.1
  • Exploit Status: Proof of Concept
  • Impact: High
  • KEV Status: Not Listed

Affected Systems

  • unhead
  • @unhead/ssr
  • unhead: All versions lacking commit 64b5ac0 (Fixed in: Version containing commit 64b5ac0)

Code Analysis

Commit: 64b5ac0

Fix commit introducing assertValidStreamKey for streamKey validation

Exploit Details

  • Research Analysis: Proof of concept payload utilizing inline script comment truncation to achieve execution.

Mitigation Strategies

  • Upgrade to a patched version of unhead containing the validation fix.
  • Implement rigorous input validation on any user-controlled input used as a configuration key.
  • Deploy WAF rules to detect inline JavaScript injection characters in query parameters.

Remediation Steps:

  1. Identify all deployments using unhead streaming SSR functionality.
  2. Audit the application source code to determine if streamKey is constructed using external inputs.
  3. Update the @unhead/ssr package and all related unhead dependencies.
  4. Verify the fix by testing SSR hydration workflows with alphanumeric identifiers and verifying rejection of special characters.

References

Read the full report for GHSA-X7MM-9VVV-64W8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)