GHSA-x7mm-9vvv-64w8: unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

April 10, 2026

createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.

References

github.com/advisories/GHSA-x7mm-9vvv-64w8
github.com/unjs/unhead
github.com/unjs/unhead/commit/64b5ac0aa30cc256ea6677ce3dc4f132f81b2ff6
github.com/unjs/unhead/security/advisories/GHSA-x7mm-9vvv-64w8

Code Behaviors & Features

Detect and mitigate GHSA-x7mm-9vvv-64w8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →