Unhead Arbitrary HTML Attribute Injection Vulnerability in SSR-Rendered Head Tags

A cross-site scripting vulnerability has been identified in Unhead versions prior to 2.1.11. The issue arises in the 'useHeadSafe()' composable, which is recommended by Nuxt documentation for safely managing user-generated content. The vulnerability allows for the injection of arbitrary HTML attributes, including event handlers, into server-side rendered head tags. This is possible because the 'acceptDataAttrs' function does not properly validate attribute names, allowing keys that break HTML parsing to be exploited. As a result, injected attributes can execute scripts when the corresponding events are triggered.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, use Unhead version 2.1.10 or earlier and implement the 'useHeadSafe()' composable. Inject a 'data-*' attribute with a space and an event handler into the head tags. The injected attribute will be parsed by the browser, executing the script when the event is triggered. This can be done by, for example, using a 'link' tag with a 'data-' attribute that includes an 'onload' event handler.

Remediation

Users can upgrade to Unhead version 2.1.11 or later, where this vulnerability has been fixed.