GHSA-3mjm-x6gw-2x42: @grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

March 25, 2026

The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.

While the current XSS attack surface is small (React-markdown is configured safely, no dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.

Affected code:

packages/server/src/index.ts — all res.writeHead() calls only set Content-Type, with no security headers

References

github.com/advisories/GHSA-3mjm-x6gw-2x42
github.com/nick-pape/grackle
github.com/nick-pape/grackle/security/advisories/GHSA-3mjm-x6gw-2x42

Code Behaviors & Features

Detect and mitigate GHSA-3mjm-x6gw-2x42 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →