AIKIDO-2025-10334
chrome-php/chrome is vulnerable to CSS injection
15
Low Risk
This Affects:
chrome-php/chromeTL;DR
Affected versions of this package fail to properly encode CSS selector expressions, allowing an attacker to inject malicious selectors (e.g., input[type='password']). Since quotes and special characters are not properly escaped, the injected selector breaks JavaScript execution, potentially causing application errors or enabling DOM exfiltration. If user-controlled input is passed directly into the selector, an attacker could execute arbitrary JavaScript in the browser's instance. Related PR on chrome-php: https://github.com/chrome-php/chrome/pull/691.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range, and allow user input into any selectors.
Background info
chrome-php/chrome is vulnerable to CSS injection in versions 1.5.0 - 1.13.0.
How to fix this
Upgrade the chrome-php/chrome library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant