@adonisjs/http-server is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
The base ExceptionHandler in the AdonisJS HTTP server renders error responses as HTML by interpolating error.message and validation message.field / message.message values directly into the markup without escaping. When an application serves HTML error responses in production and an error carries attacker-influenced content, such as a not-found route path or submitted validation field names, the raw values are reflected into the response body. A remote attacker can inject HTML or script that executes in the victim's browser, resulting in reflected cross-site scripting. The fix HTML-escapes the error message and validation field/message values before embedding them in the response.
You are affected if you are using a version that falls within the vulnerable range and your application serves HTML error or validation responses that include user-supplied content.
@adonisjs/http-server is vulnerable to Cross-Site Scripting (XSS) in versions 7.0.0 - 8.2.0 and 9.0.0 - 9.0.2.
Upgrade the @adonisjs/http-server library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant