GHSA-HVQH-JW65-WCPQ is a medium-severity cross-site scripting (XSS) vulnerability in devbridge-autocomplete (npm), affecting versions <= 2.0.0. It is fixed in 2.0.1.
Summary The default formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source. Details formatGroup, category is interpolated raw. src/format.ts: If groupBy is used and the grouping field of any suggestion contains HTML, that HTML is executed. formatResult, early-return branch returns suggestion.value raw. src/format.ts: The early-return branch is reached when suggest() renders with an empty currentValue, which happens with minChars: 0 and a server that returns suggestions for an empty query. The returned string is concatenated into the container's innerHTML. PoC (formatGroup) Originally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7. Impact XSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS. Patch Both formatters now run their interpolated input through the browser's text-node escaping (createElement + textContent) before producing the HTML string. Fixed in version 2.0.1.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
GHSA-HVQH-JW65-WCPQ has a CVSS score of 5.4 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.0.1). Upgrading removes the vulnerable code path.
npm
devbridge-autocomplete (<= 2.0.0)devbridge-autocomplete → 2.0.1 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-HVQH-JW65-WCPQ is reachable in your applications. Explore open-source security for your team.
See if GHSA-HVQH-JW65-WCPQ is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-HVQH-JW65-WCPQ in your environment →Upgrade devbridge-autocomplete to 2.0.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-HVQH-JW65-WCPQ is a medium-severity cross-site scripting (XSS) vulnerability in devbridge-autocomplete (npm), affecting versions <= 2.0.0. It is fixed in 2.0.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
GHSA-HVQH-JW65-WCPQ has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
devbridge-autocomplete (npm) versions <= 2.0.0 is affected.
Yes. GHSA-HVQH-JW65-WCPQ is fixed in 2.0.1. Upgrade to this version or later.
Whether GHSA-HVQH-JW65-WCPQ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade devbridge-autocomplete to 2.0.1 or later.