PT-2026-30394 — XSS em Npm @Grackle-Ai/Server

PT-2026-30394 · Npm · @Grackle-Ai/Server

Publicado

2026-03-25

Atualizado

2026-03-25

CVSS v4.0

2.3

Baixa

Vetor

AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Impact

The renderPairingPage() function embeds the error parameter directly into HTML without escaping:

typescript

const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";

All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.

The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.

Affected code:

packages/server/src/index.ts:64-89 — renderPairingPage() with unescaped error interpolation
Compare: packages/server/src/index.ts:130 — renderAuthorizePage() correctly uses escapeHtml()

Patches

v0.70.1

Fix: Apply escapeHtml() to the error parameter:

typescript

const errorHtml = error ? `<p style="color:#e74c3c">${escapeHtml(error)}</p>` : "";

Workarounds

No workaround needed — all current callers pass hardcoded strings.

Resources

CWE-79: Improper Neutralization of Input During Web Page Generation
File: packages/server/src/index.ts

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

GHSA-7Q9X-8G6P-3X75

Produtos afetados

@Grackle-Ai/Server