CVE-2025-27108

dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's .replace() opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with $. Particularly, when the attributes of Meta tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either $' or $\`` to achieve XSS. The solid-meta package has this issue since it uses useAffectand context providers, which injects the used assets in the html header. "dom-expressions" uses.replace()to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing.replace()`, then they could