CVE-2025-27108

Summary

CVE-2025-27108 is a newly discovered Cross-site Scripting (XSS) vulnerability affecting the dom-expressions library. This Fine-Grained Runtime for Performant DOM Rendering is vulnerable due to the use of JavaScript's `.replace()` function with special replacement patterns, specifically `$` and `$\\`, in user-defined attributes of Meta tags in the solid-meta package. This issue arises because the library uses `useAffect` and context providers, which inject assets in the html header via `.replace()`, making them susceptible to XSS attacks. If an asset tag contains user-controlled data, attackers can execute arbitrary JavaScript in the victim's web browser. This flaw has been rectified in version 0.39.5, and users are recommended to upgrade as soon as possible. Unfortunately, there are currently no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.