unhead is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
The server-side head rendering pipeline in unhead interpolates attribute names directly into HTML without validating them, so a key containing spaces, quotes, or angle brackets can terminate the intended attribute and inject additional HTML attributes such as event handlers. The useHeadSafe() guard, which is recommended for untrusted content, only blocks exact single-token rel values and does not re-check link href after template-parameter substitution, allowing multi-token rel values and substituted dangerous URIs to slip through. Duplicate attributes were also not collapsed with browser first-value semantics during template extraction, letting an inert tag be rewritten into an active one. The fix rejects invalid attribute names in normalization and serialization, preserves first-duplicate attribute semantics, and revalidates rel token lists and href values after resolution.
You are affected if you are using a version that falls within the vulnerable range and your application renders untrusted or user-controlled values into document head tags, including via useHeadSafe().
unhead is vulnerable to Cross-Site Scripting (XSS) in versions 3.0.0 - 3.1.6.
Upgrade the unhead library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant