CVE-2025-48939

Published: Jul 3, 2025

Modified: Jul 3, 2025

PUBLISHED

CVSS v3.1

4.2

MEDIUM

Description

tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.

Vendor	Product	Versions
AmauriC	tarteaucitron.js	affected `< 1.22.0`

Weaknesses (CWE)

CWE-138

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98

x_refsource_CONFIRM

https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-48939

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References