CVE-2024-41677

Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.6.0 @builder.io/qwik versions prior to 1.7.3

Description A potential mutation XSS vulnerability exists in Qwik due to improper HTML escaping on server-side rendering. This occurs because Qwik converts strings according to specific rules, which can cause the final DOM tree rendered on browsers to differ from what Qwik expects on server-side rendering. This discrepancy can be leveraged to perform XSS attacks, specifically a type known as mXSS (mutation XSS). The issue arises from the conversion rules found in the render-ssr.ts file, where attribute values and other characters are converted differently, potentially leading to security vulnerabilities.

Recommendations For Qwik versions prior to 1.6.0, upgrade to version 1.6.0 or later to resolve the issue. For @builder.io/qwik versions prior to 1.7.3, upgrade to version 1.7.3 or later to resolve the issue. As a temporary workaround, consider restricting user input in the href parameter to minimize the risk of exploitation. Avoid using the href parameter in the affected component until the issue is resolved.