GHSA-7q9x-8g6p-3x75: @grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

March 25, 2026

The renderPairingPage() function embeds the error parameter directly into HTML without escaping:

const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";

All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.

The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.

Affected code:

packages/server/src/index.ts:64-89 — renderPairingPage() with unescaped error interpolation
Compare: packages/server/src/index.ts:130 — renderAuthorizePage() correctly uses escapeHtml()

References

Code Behaviors & Features

Detect and mitigate GHSA-7q9x-8g6p-3x75 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →