`\n* `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)`\n\nNo esc"}},{"@type":"Question","name":"How severe is GHSA-x7mm-9vvv-64w8?","acceptedAnswer":{"@type":"Answer","text":"No CVSS score has been assigned to GHSA-x7mm-9vvv-64w8 yet. Review the advisory details and affected package list to assess your exposure."}},{"@type":"Question","name":"Which packages are affected by GHSA-x7mm-9vvv-64w8?","acceptedAnswer":{"@type":"Answer","text":"GHSA-x7mm-9vvv-64w8 affects the following packages: unhead (npm). Ecosystems affected: npm."}},{"@type":"Question","name":"How do I fix GHSA-x7mm-9vvv-64w8?","acceptedAnswer":{"@type":"Answer","text":"Update unhead to 3.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x7mm-9vvv-64w8 is resolved across your whole dependency graph."}},{"@type":"Question","name":"How do I detect GHSA-x7mm-9vvv-64w8 in my npm dependencies?","acceptedAnswer":{"@type":"Answer","text":"Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for unhead. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match."}},{"@type":"Question","name":"How do I mitigate GHSA-x7mm-9vvv-64w8 if there is no patch (or I can't update yet)?","acceptedAnswer":{"@type":"Answer","text":"If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands."}},{"@type":"Question","name":"How does O3 Security protect against GHSA-x7mm-9vvv-64w8?","acceptedAnswer":{"@type":"Answer","text":"O3 pinpoints whether GHSA-x7mm-9vvv-64w8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed."}},{"@type":"Question","name":"Is GHSA-x7mm-9vvv-64w8 actively exploited in the wild?","acceptedAnswer":{"@type":"Answer","text":"No public exploit code has been indexed for GHSA-x7mm-9vvv-64w8 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure."}},{"@type":"Question","name":"When was GHSA-x7mm-9vvv-64w8 published, and has it been updated?","acceptedAnswer":{"@type":"Answer","text":"GHSA-x7mm-9vvv-64w8 was published on April 10, 2026 and was last updated on April 10, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting."}}]}
Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-x7mm-9vvv-64w8

unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Published
Apr 10, 2026
Updated
Apr 10, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
📦unhead

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.

Details

streamKey was embedded into JavaScript source via dot notation in two public helpers:

  • createBootstrapScript() returned <script>window.${streamKey}={...}</script>
  • renderSSRHeadSuspenseChunk() returned window.${streamKey}.push(...)

No escaping, quoting, or identifier validation was applied before these strings were embedded into HTML. A streamKey such as __unhead__;globalThis.PWNED=1;// broke out of the intended property access and injected arbitrary JavaScript into the page. The JSON escaping used for streamed head entries did not protect streamKey because streamKey was inserted as raw code rather than as serialized data.

Impact

streamKey is a developer-chosen configuration value rather than a data field — the intended usage is a hardcoded identifier-shaped constant (default __unhead__). Exploitation therefore requires an application to explicitly route untrusted input into a configuration sink, which is not a documented or recommended pattern. We have no reports of any downstream project sourcing streamKey from request data.

Applications using the default streamKey, or any hardcoded custom key, are not affected.

PoC

import { createStreamableHead, renderSSRHeadShell } from 'unhead/stream/server'

const { head } = createStreamableHead({
  streamKey: '__unhead__;globalThis.PWNED=1;//',
})

const html = renderSSRHeadShell(
  head,
  '<!doctype html><html><head></head><body></body></html>',
)

// <!doctype html><html><head><script>window.__unhead__;globalThis.PWNED=1;//={_q:[],push(e){this._q.push(e)}}</script>…

Patch

Fixed on main in 64b5ac0. The fix will ship in the next patch release of unhead.

streamKey is now validated against a conservative ASCII JavaScript-identifier pattern (/^[$_a-z][$\w]*$/i) at every sink — createStreamableHead, createBootstrapScript, and the internal stream-key resolver. Invalid values throw immediately instead of being emitted into script output.

Workarounds

Do not pass untrusted data into createStreamableHead({ streamKey }) or createBootstrapScript(key). If per-tenant keys are required, whitelist them against an identifier-safe pattern before constructing the head instance.

Credit

Thanks to @Jvr2022 for the report.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmunhead3.0.0-beta.5&&< 3.0.13.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for unhead. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update unhead to 3.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x7mm-9vvv-64w8 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-x7mm-9vvv-64w8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-x7mm-9vvv-64w8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary `createStreamableHead({ streamKey })` interpolated its `streamKey` argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink. ### Details `streamKey` was embedded into JavaScript source via dot notation in two public helpers: * `createBootstrapScript()` returned `<script>window.${streamKey}={...}</script>` * `renderSSRHeadSuspenseChunk()` returned `window.${streamKey}.push(...)` No esc
O3 Security · Impact-Aware SCA

Is GHSA-x7mm-9vvv-64w8 in your dependencies?

O3 detects GHSA-x7mm-9vvv-64w8 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works