PT-2026-30394 — XSS in Npm @Grackle-Ai/Server

PT-2026-30394 · Npm · @Grackle-Ai/Server

Published

2026-03-25

Updated

2026-03-25

CVSS v4.0

2.3

Low

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Impact

The renderPairingPage() function embeds the error parameter directly into HTML without escaping:

typescript

const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";

All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.

The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.

Affected code:

packages/server/src/index.ts:64-89 — renderPairingPage() with unescaped error interpolation
Compare: packages/server/src/index.ts:130 — renderAuthorizePage() correctly uses escapeHtml()

Patches

v0.70.1

Fix: Apply escapeHtml() to the error parameter:

typescript

const errorHtml = error ? `<p style="color:#e74c3c">${escapeHtml(error)}</p>` : "";

Workarounds

No workaround needed — all current callers pass hardcoded strings.

Resources

CWE-79: Improper Neutralization of Input During Web Page Generation
File: packages/server/src/index.ts

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-7Q9X-8G6P-3X75

Affected Products

@Grackle-Ai/Server