CVE-2026-1721: CVE-2026-1721: When JSON.stringify() Betrays You in Cloudflare Agents

Source: Dev.to

Overview

• Vulnerability ID: CVE-2026-1721
• CVSS Score: 6.2 (Medium)
• Published: 2026-02-13
• Vulnerability Type: Reflected Cross‑Site Scripting (XSS)
• CWE ID: CWE‑79
• Attack Vector: Network (Reflected)
• Exploit Status: PoC Available

A reflected XSS flaw exists in the Cloudflare Agents AI Playground (versions ` block to render error information. Because browsers parse “ tags inside the generated JSON string, an attacker can break out of the JSON context and inject arbitrary JavaScript, leading to session hijacking and data exfiltration (e.g., LLM chat history and Model Context Protocol (MCP) servers).

Technical Details

• Root Cause: Misunderstanding of how browsers parse script tags within inline HTML. JSON.stringify does not escape “ sequences, allowing an attacker to terminate the script tag early.
• Typical Vulnerable Code:

// Vulnerable handler (inline script)
const safeError = JSON.stringify(result.authError);
return new Response(`alert(${safeError})`);

• Exploitation: An attacker supplies a crafted authError value containing maliciousCode(), causing the injected script to execute in the victim’s browser.

Impact

• Session Hijacking: Attackers can steal authentication tokens or MCP session identifiers.
• Data Exfiltration: Sensitive chat logs and model context data can be read and transmitted to an attacker‑controlled endpoint.
• Scope: Affects any application that uses the vulnerable agents npm package (versions window.close()`);

2. **Use a proper serializer for HTML contexts.**  
   Replace `JSON.stringify` with a library that escapes HTML characters, such as `serialize-javascript`.

3. **Implement a Content Security Policy (CSP).**  
   Disallow inline scripts (`script-src 'self'`) and enable `nonce` or `hash`‑based script execution.

## Remediation Steps

- **Upgrade** the `agents` npm package to **version 0.3.10** or later.  
- **Audit** any custom OAuth callback handlers for usage of `JSON.stringify` (or similar) inside HTML/JS responses.  
- **Validate** that `error` and `error_description` parameters are never rendered raw in the response body.  
- **Deploy** a CSP that blocks inline scripts and only permits trusted sources.

## References

- [GitHub Pull Request #841](https://github.com/cloudflare/agents/pull/841) – Fix implementation.  
- [NVD Entry for CVE‑2026‑1721](https://nvd.nist.gov/vuln/detail/CVE-2026-1721) – Official vulnerability record.