GHSA-jq4p-mq33-w375
MEDIUMCross-site Scripting when rendering error messages in laminas-form
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
laminas/laminas-form🐘laminas/laminas-form🐘laminas/laminas-formReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
When rendering validation error messages via the formElementErrors() view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a Reflected Cross-Site Scripting (XSS) attack.
Patches
The following versions were issued to mitigate the vulnerability:
- 2.17.1
- 3.0.2
- 3.1.1
Workarounds
At the top of a view script where you call the formElementErrors() view helper, place the following code:
use Laminas\Form\ElementInterface;
use Laminas\View\PhpRenderer;
$escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void {
$messages = $element->getMessages();
if (! $messages) {
return;
}
$escaped = [];
array_walk_recursive(
$messages,
static function (string $item) use (&$escaped, $renderer): void {
$escaped[] = $renderer->escapeHtml($item);
}
};
$element->setMessages($escaped);
};
Before calling formElementErrors() with a form, fieldset, or element, call the above closure as follows
// Usage with a form
// $this is the view renderer
$escapeMessages($form, $this);
// Usage with a fieldset
// $this is the view renderer
$escapeMessages($fieldset, $this);
// Usage with a form element
// $this is the view renderer
$escapeMessages($element, $this);
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | laminas/laminas-form | ≥ 3.1.0&&< 3.1.1 | 3.1.1 |
| 🐘Packagist | laminas/laminas-form | ≥ 3.0.0&&< 3.0.2 | 3.0.2 |
| 🐘Packagist | laminas/laminas-form | all versions | 2.17.1 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for laminas/laminas-form. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update laminas/laminas-form to 3.1.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jq4p-mq33-w375 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-jq4p-mq33-w375 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-jq4p-mq33-w375. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-jq4p-mq33-w375 in your dependencies?
O3 detects GHSA-jq4p-mq33-w375 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.