GHSA-93q6-wwjh-jc6hMedium

@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString

Published
July 2, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (1)

📋 Description

Finding

Location: core/src/server/render-to-string.ts:307-311

CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp/**/ression().

Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.

Status

Fixed in v0.2.136 — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.

🎯 Affected products1

  • npm/@asymmetric-effort/specifyjs:< 0.2.136

🔗 References (3)