CVE-2025-68457: Bind Attribute Hydration Xss
Dynamically copying attributes from an object (e.g., `dataset`) to a DOM element without validating the URL or attribute type can lead to XSS. An attacker could inject a malicious `javascript:` URL into DOM execution boundaries (`href`, `src`, etc.). Verify that attribute names and values are explicitly validated against an allowlist or a safe URL check prio
JSgreprules fetch cve-2025-68457-bind-attribute-hydration-xss --engine opengrepDescription
Dynamically copying attributes from an object (e.g., `dataset`) to a DOM element without validating the URL or attribute type can lead to XSS. An attacker could inject a malicious `javascript:` URL into DOM execution boundaries (`href`, `src`, etc.). Verify that attribute names and values are explicitly validated against an allowlist or a safe URL check prio
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0