CVE-2025-48939
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amauri | tarteaucitronjs | to 1.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-138 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in tarteaucitron.js (prior to version 1.22.0) involves improper handling of the document.currentScript property. The script accesses document.currentScript without verifying that it actually references a <script> element. In some browsers, named DOM elements can become properties on the global document object, allowing an attacker who can inject HTML to override (clobber) document.currentScript. This causes the script to resolve incorrectly to a non-script element, leading to unexpected behavior such as failure to load the script path correctly or manipulation of the CDN domain used by tarteaucitron.js. The issue was fixed by adding a check to ensure document.currentScript is an instance of HTMLScriptElement before using it, falling back to the last <script> tag if not. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unexpected behavior or failure to load the tarteaucitron.js script correctly, potentially allowing an attacker with HTML injection capabilities to manipulate the CDN domain from which the script is loaded. This can affect the integrity and availability of the script, possibly causing disruptions in cookie banner functionality or loading malicious scripts instead. However, it does not impact confidentiality. Exploitation requires local access, high privileges, and user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if the tarteaucitron.js version in use is prior to 1.22.0, as those versions are vulnerable. Additionally, inspecting the HTML for injected elements named 'currentScript' that could clobber the document.currentScript property can indicate exploitation attempts. There are no specific network commands provided, but you can audit your web pages' source code for suspicious named elements or verify the tarteaucitron.js script version. For example, in a browser console, you might run: `console.log(document.currentScript instanceof HTMLScriptElement)` to check if the currentScript is properly set. Also, reviewing script tags and their sources can help detect anomalies. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update tarteaucitron.js to version 1.22.0 or later, where the vulnerability is patched. The patch includes verifying that document.currentScript is an instance of HTMLScriptElement before using it, preventing DOM clobbering attacks. If updating is not immediately possible, ensure that your HTML does not allow injection of elements named 'currentScript' that could override the property, and restrict high-privilege users from injecting malicious HTML. Applying the official patch or updating the library is the recommended action. [1, 2]