Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31873 is a vulnerability in the npm package "unhead" (versions up to 2.1.10) where the sanitization of the href attribute in the makeTagSafe function is case-sensitive. The code uses String.includes() to detect dangerous URI schemes like "javascript:" or "data:", but because this check is case-sensitive, it fails to detect uppercase or mixed-case variants such as "DATA:" or "JAVASCRIPT:".'}, {'type': 'paragraph', 'content': 'Browsers treat URI schemes case-insensitively, so an attacker can inject malicious URIs like DATA:text/css,... in the href attribute of a <link> tag. This causes the browser to load arbitrary CSS, which can be exploited for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in version 2.1.11 by converting the href value to lowercase before checking for dangerous schemes.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to inject arbitrary CSS into a web application using the unhead package, which can lead to UI redressing attacks or data exfiltration through CSS attribute selectors with background-image callbacks.

However, the CVSS v3.1 base score is 0.0, indicating low severity with no impact on confidentiality, integrity, or availability. The attack requires no privileges or user interaction and has low complexity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the source code or rendered output for link tags with href attributes containing URI schemes like "data:" or "javascript:" in uppercase or mixed case, which bypass the case-sensitive sanitization.'}, {'type': 'paragraph', 'content': 'A practical detection method is to search your codebase or rendered HTML for href attributes in link tags that include uppercase or mixed-case variants of dangerous schemes.'}, {'type': 'list_item', 'content': "Use grep or similar tools to find suspicious href values, for example: grep -i 'href=.*data:' -r ./"}, {'type': 'list_item', 'content': 'Check server-side rendered output for link tags with href attributes starting with uppercase or mixed-case "DATA:" or "JAVASCRIPT:" schemes.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate step to mitigate this vulnerability is to upgrade the unhead package to version 2.1.11 or later, where the sanitization logic correctly converts href values to lowercase before checking for dangerous URI schemes.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, modify the sanitization code to convert the href attribute value to lowercase before performing the includes check, as shown below:'}, {'type': 'list_item', 'content': "if (key === 'href') { const lower = val.toLowerCase(); if (lower.includes('javascript:') || lower.includes('data:')) { return; } next[key] = val; }"}, {'type': 'paragraph', 'content': 'This fix prevents bypassing the URI scheme check by case variations and stops malicious CSS injection.'}] [1]

Useful 0 Not Useful 0