AIKIDO-2025-10597
@mapbox/mapbox-gl-geocoder is vulnerable to Cross-site Scripting (XSS)
60
Medium Risk
This Affects:
@mapbox/mapbox-gl-geocoderTL;DR
Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of the place_name input in the geocoder suggestion render function. An attacker can exploit this by crafting a malicious payload containing executable JavaScript as part of the location name (e.g., ><img src=x onerror=alert(1)>), which would execute immediately when rendered in the user's browser, potentially compromising user sessions or stealing sensitive data. It violates the trust boundary between user-supplied content and rendered output, requiring no user interaction beyond triggering the geocoder suggestion dropdown.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@mapbox/mapbox-gl-geocoder is vulnerable to Cross-site Scripting (XSS) in versions 4.0.0 - 5.1.1.
How to fix this
Upgrade the @mapbox/mapbox-gl-geocoder library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant