CVE-2026-31873
Case-Sensitive URI Check in Unhead Enables CSS Injection
Publication date: 2026-03-12
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unjs | unhead | to 2.1.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31873 is a vulnerability in the npm package "unhead" (versions up to 2.1.10) where the sanitization of the href attribute in the makeTagSafe function is case-sensitive. The code uses String.includes() to detect dangerous URI schemes like "javascript:" or "data:", but because this check is case-sensitive, it fails to detect uppercase or mixed-case variants such as "DATA:" or "JAVASCRIPT:".'}, {'type': 'paragraph', 'content': 'Browsers treat URI schemes case-insensitively, so an attacker can inject malicious URIs like DATA:text/css,... in the href attribute of a <link> tag. This causes the browser to load arbitrary CSS, which can be exploited for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in version 2.1.11 by converting the href value to lowercase before checking for dangerous schemes.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to inject arbitrary CSS into a web application using the unhead package, which can lead to UI redressing attacks or data exfiltration through CSS attribute selectors with background-image callbacks.
However, the CVSS v3.1 base score is 0.0, indicating low severity with no impact on confidentiality, integrity, or availability. The attack requires no privileges or user interaction and has low complexity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the source code or rendered output for link tags with href attributes containing URI schemes like "data:" or "javascript:" in uppercase or mixed case, which bypass the case-sensitive sanitization.'}, {'type': 'paragraph', 'content': 'A practical detection method is to search your codebase or rendered HTML for href attributes in link tags that include uppercase or mixed-case variants of dangerous schemes.'}, {'type': 'list_item', 'content': "Use grep or similar tools to find suspicious href values, for example: grep -i 'href=.*data:' -r ./"}, {'type': 'list_item', 'content': 'Check server-side rendered output for link tags with href attributes starting with uppercase or mixed-case "DATA:" or "JAVASCRIPT:" schemes.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate step to mitigate this vulnerability is to upgrade the unhead package to version 2.1.11 or later, where the sanitization logic correctly converts href values to lowercase before checking for dangerous URI schemes.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, modify the sanitization code to convert the href attribute value to lowercase before performing the includes check, as shown below:'}, {'type': 'list_item', 'content': "if (key === 'href') { const lower = val.toLowerCase(); if (lower.includes('javascript:') || lower.includes('data:')) { return; } next[key] = val; }"}, {'type': 'paragraph', 'content': 'This fix prevents bypassing the URI scheme check by case variations and stops malicious CSS injection.'}] [1]