CVE-2025-27108

Name of the Vulnerable Software and Affected Versions dom-expressions versions prior to 0.39.5

Description The issue arises from the use of JavaScript's .replace() function, which opens up to potential Cross-site Scripting (XSS) vulnerabilities with special replacement patterns beginning with $. Specifically, when the attributes of the Meta tag from solid-meta are user-defined, attackers can utilize the special replacement patterns, either $' or `$`` to achieve XSS. This vulnerability can be exploited if the attributes of an asset tag contain user-controlled data, allowing attackers to execute arbitrary JavaScript in the victim's web browser.

Recommendations For versions prior to 0.39.5, upgrade to version 0.39.5 or later to address the issue. As a temporary workaround, consider restricting the use of user-controlled data in the attributes of the Meta tag to minimize the risk of exploitation. Additionally, avoid using the .replace() function with special replacement patterns beginning with $ until the issue is resolved.