Preact JSON VNode Injection Vulnerability Allowing HTML Injection

A vulnerability in Preact, a lightweight web development framework, allows for HTML injection via JSON type confusion. This issue arises from a regression in Preact versions 10.26.5 prior to 10.26.10, 10.27.0 prior to 10.27.3, and 10.28.0 prior to 10.28.2. The vulnerability occurs in applications that pass unmodified, unsanitized values from user-modifiable data sources directly into the render tree, assume these values are strings, but the data source could return actual JavaScript objects instead of JSON strings. Exploitation can lead to arbitrary script execution if not mitigated by Content Security Policy (CSP) or other means.

Impact

Exploitation of this vulnerability can result in HTML injection, with the potential for arbitrary script execution if not protected by CSP or similar measures.

Remediation

Users should upgrade to Preact versions 10.26.10, 10.27.3, or 10.28.2, depending on their current version. For those unable to upgrade immediately, it is recommended to validate input types, cast or validate network data, sanitize external data, and implement a strict Content Security Policy.