CVE-2025-48939 (GCVE-0-2025-48939)
Vulnerability from cvelistv5
Published
2025-07-03 16:26
Modified
2025-07-03 19:15
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L
CWE
  • CWE-138 - Improper Neutralization of Special Elements
Summary
tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.
References
Impacted products
Vendor Product Version
AmauriC tarteaucitron.js Version: < 1.22.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-03T19:13:08.496030Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-03T19:15:22.798Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tarteaucitron.js",
          "vendor": "AmauriC",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.22.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual \u003cscript\u003e element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the \u003cscript\u003e tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-138",
              "description": "CWE-138: Improper Neutralization of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-03T16:26:31.304Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98"
        },
        {
          "name": "https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3"
        }
      ],
      "source": {
        "advisory": "GHSA-q43x-79jr-cq98",
        "discovery": "UNKNOWN"
      },
      "title": "tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48939",
    "datePublished": "2025-07-03T16:26:31.304Z",
    "dateReserved": "2025-05-28T18:49:07.580Z",
    "dateUpdated": "2025-07-03T19:15:22.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48939\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-03T17:15:39.300\",\"lastModified\":\"2025-07-08T16:19:11.700\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual \u003cscript\u003e element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the \u003cscript\u003e tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.\"},{\"lang\":\"es\",\"value\":\"tarteaucitron.js es un banner de cookies compatible y accesible. Antes de la versi\u00f3n 1.22.0, se identific\u00f3 una vulnerabilidad en tarteaucitron.js donde se acced\u00eda a document.currentScript sin verificar que hiciera referencia a un elemento \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.1,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-138\"}]}],\"references\":[{\"url\":\"https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48939\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-03T19:13:08.496030Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-03T19:14:17.594Z\"}}], \"cna\": {\"title\": \"tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript\", \"source\": {\"advisory\": \"GHSA-q43x-79jr-cq98\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"AmauriC\", \"product\": \"tarteaucitron.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.22.0\"}]}], \"references\": [{\"url\": \"https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98\", \"name\": \"https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3\", \"name\": \"https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual \u003cscript\u003e element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the \u003cscript\u003e tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-138\", \"description\": \"CWE-138: Improper Neutralization of Special Elements\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-03T16:26:31.304Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48939\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-03T19:15:22.798Z\", \"dateReserved\": \"2025-05-28T18:49:07.580Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-03T16:26:31.304Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.