Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-7q9x-8g6p-3x75

@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

Published
Mar 25, 2026
Updated
Mar 25, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@grackle-ai/servernpm
3Kdownloads / week

Description

Impact

The renderPairingPage() function embeds the error parameter directly into HTML without escaping:

const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";

All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.

The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.

Affected code:

  • packages/server/src/index.ts:64-89renderPairingPage() with unescaped error interpolation
  • Compare: packages/server/src/index.ts:130renderAuthorizePage() correctly uses escapeHtml()

Patches

v0.70.1

Fix: Apply escapeHtml() to the error parameter:

const errorHtml = error ? `<p style="color:#e74c3c">${escapeHtml(error)}</p>` : "";

Workarounds

No workaround needed — all current callers pass hardcoded strings.

Resources

  • CWE-79: Improper Neutralization of Input During Web Page Generation
  • File: packages/server/src/index.ts

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@grackle-ai/serverall versions0.70.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @grackle-ai/server. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @grackle-ai/server to 0.70.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7q9x-8g6p-3x75 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-7q9x-8g6p-3x75 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-7q9x-8g6p-3x75. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact The `renderPairingPage()` function embeds the `error` parameter directly into HTML without escaping: ```typescript const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : ""; ``` All current call sites pass hardcoded strings, so this is **not exploitable today**. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability. The `renderAuthorizePage()` function in the same file correctly uses `escapeHtml()` for dynamic content, making this an inconsist
O3 Security · Impact-Aware SCA

Is GHSA-7q9x-8g6p-3x75 in your dependencies?

O3 detects GHSA-7q9x-8g6p-3x75 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works