CVE-2025-15265: Ssr Hydration Xss Json Stringify
Using JSON.stringify() to serialize hydration data into inline HTML <script> tags does not securely escape HTML tag sequences such as </script>. This allows attackers to terminate the script block and inject arbitrary JavaScript (XSS). Use an HTML-safe serialization method like devalue.uneval() instead.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2025-15265-ssr-hydration-xss-json-stringify --engine opengrepDescription
Using JSON.stringify() to serialize hydration data into inline HTML <script> tags does not securely escape HTML tag sequences such as </script>. This allows attackers to terminate the script block and inject arbitrary JavaScript (XSS). Use an HTML-safe serialization method like devalue.uneval() instead.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0