Slim has Reflected XSS in the HtmlErrorRenderer
🔗 CVE IDs covered (1)
📋 Description
Impact
If an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.
The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path.
Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected.
Patches
The issue is fixed in 4.15.2.
Workarounds
Without upgrading, applications can:
- Avoid passing untrusted/request-derived data into
HttpException::setTitle()andsetDescription(). Use static, plain-text error copy instead. - Register a custom error renderer (an
ErrorRendererInterfaceimplementation, or a subclass ofHtmlErrorRendererthat escapes the title and description) for the HTML media type.
Acknowledgments
Slim is grateful to and thanks GitHub user 0xEr3n for reporting this issue.
Resources
- CWE-79: https://cwe.mitre.org/data/definitions/79.html
🎯 Affected products1
- composer/slim/slim:>= 4.4.0, <= 4.15.1