GHSA-x7mm-9vvv-64w8

Source

https://github.com/advisories/GHSA-x7mm-9vvv-64w8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x7mm-9vvv-64w8/GHSA-x7mm-9vvv-64w8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x7mm-9vvv-64w8

Published

2026-04-10T22:09:39Z

Modified

2026-04-10T22:19:21.376374Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Details

Summary

createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.

Details

streamKey was embedded into JavaScript source via dot notation in two public helpers:

createBootstrapScript() returned <script>window.${streamKey}={...}</script>
renderSSRHeadSuspenseChunk() returned window.${streamKey}.push(...)

No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A streamKey such as __unhead__;globalThis.PWNED=1;// broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect streamKey because streamKey was inserted as raw code rather than as serialized data.

Impact

streamKey is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default __unhead__). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing streamKey from request data.

Applications using the default streamKey, or any hardcoded custom key, are not affected.

PoC

import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'

const { head } = createStreamableHead({
  streamKey: '__unhead__;globalThis.PWNED=1;//',
})

const html = renderSSRHeadShell(
  head,
  '<!doctype html><html><head></head><body></body></html>',
)

// <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>…

Patch

Fixed on main in 64b5ac0. The fix will ship in the next patch release of unhead.

streamKey is now validated against a conservative ASCII JavaScript-identifier pattern (/^[$_a-z][$\w]*$/i) at every sink — createStreamableHead, createBootstrapScript, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.

Workarounds

Do not pass untrusted data into createStreamableHead({ streamKey }) or createBootstrapScript(key). If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.

Credit

Thanks to @Jvr2022 for the report.

Database specific

{
    "severity": "LOW",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T22:09:39Z",
    "nvd_published_at": null
}

References

Affected packages

npm / unhead

Package

Name: unhead; View open source insights on deps.dev
Purl: pkg:npm/unhead

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0-beta.5

Fixed

3.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x7mm-9vvv-64w8/GHSA-x7mm-9vvv-64w8.json"

last_known_affected_version_range

"<= 3.0.0"