AIKIDO-2026-11134
spree_storefront is vulnerable to Cross-Site Scripting (XSS)
34
Low Risk
This Affects:
spree_storefrontTL;DR
The default spree_storefront theme builds JSON-LD structured data in inline <script type="application/ld+json"> blocks using .to_json.html_safe without escaping angle brackets and ampersands, while spree_api disables ActiveSupport JSON HTML-entity escaping globally. Attacker-controlled product, post, or store fields embedded in those blocks can inject a literal </script> sequence and break out into executable HTML. The injected script then runs in the browser of visitors who load pages containing the affected JSON-LD markup. The fix centralizes JSON-LD output in a json_ld_script helper that serializes through ERB::Util.json_escape before rendering the script tag.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
spree_storefront is vulnerable to Cross-Site Scripting (XSS) in versions 5.4.0 - 5.4.1.
How to fix this
Upgrade the spree_storefront library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant