GHSA-7q9x-8g6p-3x75: @grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template
Summary
A function called `renderPairingPage()` in the @grackle-ai/server library embeds error messages directly into HTML without escaping (a process that makes text safe for display in web pages). While current uses pass only hardcoded strings and are not exploitable now, future code changes that pass user-controlled input could create an XSS vulnerability (a type of attack where malicious code is injected into a webpage).
Solution / Mitigation
Update to v0.70.1. The fix applies `escapeHtml()` to the error parameter by changing `${error}` to `${escapeHtml(error)}` in the HTML template string, matching the safer approach already used in the `renderAuthorizePage()` function in the same file.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-7q9x-8g6p-3x75
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%