@inertiajs/core is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
When Inertia receives a non-Inertia response such as a server error page, it renders the returned HTML inside a modal or dialog iframe by writing it into a same-origin, unsandboxed iframe with document.write. Scripts contained in that response execute in the application origin and can reach window.parent, giving them access to the host page. An attacker who can cause the server to reflect attacker-controlled markup in such an error response can run script with access to the parent application context. The fix renders the content through the iframe srcdoc attribute together with a sandbox attribute so embedded scripts run in an isolated context that cannot access window.parent.
You are affected if you are using a version that falls within the vulnerable range and your server can return attacker-influenced HTML in a non-Inertia error response that Inertia renders in its error modal.
@inertiajs/core is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21 and 3.0.0 - 3.0.3.
Upgrade the @inertiajs/core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant