Vulnerability DatabaseGHSA-x7mm-9vvv-64w8

GHSA-x7mm-9vvv-64w8:
JavaScript vulnerability analysis and mitigation

Summary

createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.

Details

streamKey was embedded into JavaScript source via dot notation in two public helpers:

createBootstrapScript() returned <script>window.${streamKey}={...}</script>
renderSSRHeadSuspenseChunk() returned window.${streamKey}.push(...)No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A streamKey such as __unhead__;globalThis.PWNED=1;// broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect streamKey because streamKey was inserted as raw code rather than as serialized data.

Impact

streamKey is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default __unhead__). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing streamKey from request data. Applications using the default streamKey, or any hardcoded custom key, are not affected.

PoC

import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'
const { head } = createStreamableHead({
  streamKey: '__unhead__;globalThis.PWNED=1;//',
})
const html = renderSSRHeadShell(
  head,
  '<!doctype html><html><head></head><body></body></html>',
)
// <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>…

Patch

Fixed on main in 64b5ac0. The fix will ship in the next patch release of unhead. streamKey is now validated against a conservative ASCII JavaScript-identifier pattern (/^[$_a-z][$\w]*$/i) at every sink — createStreamableHead, createBootstrapScript, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.

Workarounds

Do not pass untrusted data into createStreamableHead({ streamKey }) or createBootstrapScript(key). If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.

Credit

Thanks to @Jvr2022 for the report.

Source: NVD

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-68qg-g8mg-6pr7	CRITICAL	10	JavaScript	@paperclipai/server	No	Yes	Apr 10, 2026
GHSA-jvff-x2qm-6286	HIGH	8.8	JavaScript	mathjs	No	Yes	Apr 10, 2026
GHSA-75hx-xj24-mqrw	HIGH	8.2	JavaScript	n8n-mcp	No	Yes	Apr 10, 2026
CVE-2026-40299	MEDIUM	6.9	JavaScript	next-intl	No	Yes	Apr 10, 2026
GHSA-x7mm-9vvv-64w8	LOW	2.3	JavaScript	unhead	No	Yes	Apr 10, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-x7mm-9vvv-64w8: JavaScript vulnerability analysis and mitigation