Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN418
_____________________________________________________________________

DATE                : 04/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running tarteaucitron.js versions
                                 prior to 1.22.0.

=====================================================================
https://github.com/advisories/GHSA-hqp6-mjw3-f586
_____________________________________________________________________


DOM Clobbering via document.currentScript
Moderate
AmauriC published GHSA-q43x-79jr-cq98 Jul 3, 2025

Package
tarteaucitron.js (Github)

Affected versions
<1.22.0

Patched versions
1.22.0


Description

A vulnerability was identified in tarteaucitron.js where
document.currentScript was accessed without verifying that it
referenced an actual <script> element. If an attacker injected an HTML
element such as:

<img name="currentScript" src="https://malicious.example.com">

it could clobber the document.currentScript property. This causes the
script to resolve incorrectly to an element instead of the <script> tag,
leading to unexpected behavior or failure to load the script path
correctly.

This issue arises because in some browser environments, named DOM elements
(e.g., name="currentScript") become properties on the global document
object.


Impact

An attacker with control over the HTML could exploit this to change the
CDN domain of tarteaucitron.


Fix 230a3b6

The issue was resolved by verifying that document.currentScript is an
instance of HTMLScriptElement. If not, the script now falls back safely
to the last <script> tag on the page.

Severity
Moderate
4.2/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L

CVE ID
CVE-2025-48939

Weaknesses
CWE-138


Credits

    @Rudloff Rudloff Finder



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================