🔒 XSS Vulnerability in NodeGoat Demo Repository - Development Config Exposes Script Injection Risk

A security vulnerability report identifies a Cross-Site Scripting (XSS) vulnerability in the RSOLV-dev/nodegoat-vulnerability-demo repository. The vulnerability is classified as HIGH severity and is present in one file. The specific issue is located in `config/env/development.js` at line 11, where the code directly uses `document.write` with user input, creating a potential vector for script injection attacks. The vulnerable code snippet is part of a livereload script injection that concatenates the host location without proper escaping. This flaw could allow attackers to inject malicious scripts that execute in other users' browsers if the development configuration is improperly exposed or used in a vulnerable context. The report recommends always escaping user input before rendering it in HTML, using context-appropriate escaping functions, and considering templating engines with automatic escaping. The finding was automatically generated by the RSOLV security scanner on March 4, 2026, and is tagged with CWE-79 and OWASP A03:2021 classifications. The repository maintainers are provided with dismissal options including labeling as false-positive, won't-fix, accepted-risk, or deferred.