CVE-2025-27108: 
JavaScript vulnerability analysis and mitigation

CVE-2025-27108 affects dom-expressions, a Fine-Grained Runtime for Performant DOM Rendering. The vulnerability was discovered and disclosed on February 21, 2025, impacting versions prior to 0.39.5. The issue stems from improper use of JavaScript's .replace() function, which opens up potential Cross-site Scripting (XSS) vulnerabilities when handling special replacement patterns beginning with $ (NVD, GitHub Advisory).

The vulnerability occurs specifically in the context of the solid-meta package, which uses useAffect and context providers to inject assets in the HTML header. The dom-expressions package uses .replace() to insert these assets, but fails to properly handle special replacement patterns like $' or $`. When attributes of Meta tags contain user-controlled data, the improper implementation of .replace()` makes the application vulnerable to XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (GitHub Advisory).

If exploited, attackers can execute arbitrary JavaScript code in victims' web browsers. This is particularly concerning in scenarios where meta tags are used for features like open graph protocol in user profile pages. If an attacker sets a user query to a payload that abuses .replace(), they can achieve cross-site scripting. The vulnerability can lead to both reflected and stored XSS attacks, potentially compromising user data and browser content (GitHub Advisory).

The vulnerability has been patched in version 0.39.5 of dom-expressions. All users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability, making the upgrade the only effective mitigation strategy (NVD, GitHub Patch).