PT-2026-33905 — XSS in Npm Unhead

PT-2026-33905 · Npm · Unhead

Published

2026-04-10

Updated

2026-04-10

CVSS v4.0

2.3

Low

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Summary

createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.

Details

streamKey was embedded into JavaScript source via dot notation in two public helpers:

createBootstrapScript() returned <script>window.${streamKey}={...}</script>
renderSSRHeadSuspenseChunk() returned window.${streamKey}.push(...)

No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A streamKey such as unhead ;globalThis.PWNED=1;// broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect streamKey because streamKey was inserted as raw code rather than as serialized data.

Impact

streamKey is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default unhead). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing streamKey from request data.

Applications using the default streamKey, or any hardcoded custom key, are not affected.

PoC

import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'

const { head } = createStreamableHead({
 streamKey: ' unhead ;globalThis.PWNED=1;//',
})

const html = renderSSRHeadShell(
 head,
 '<!doctype html><html><head></head><body></body></html>',
)

// <!doctype html><html><head><script>window. unhead ;globalThis.PWNED=1;//={ q:[],push(e){this. q.push(e)}}</script>…

Patch

Fixed on main in 64b5ac0. The fix will ship in the next patch release of unhead.

streamKey is now validated against a conservative ASCII JavaScript-identifier pattern (/^[$ a-z][$w]*$/i) at every sink — createStreamableHead, createBootstrapScript, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.

Workarounds

Do not pass untrusted data into createStreamableHead({ streamKey }) or createBootstrapScript(key). If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.

Credit

Thanks to @Jvr2022 for the report.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-X7MM-9VVV-64W8

Affected Products

Unhead