logo

Database

Reflected cross-site scripting (XSS) In tarteaucitronjs

Description

tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element such as:

<img name="currentScript" src="https://malicious.example.com">

it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the

This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object.

Impact

An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3

The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now falls back safely to the last

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-489392. NVD-2025-489393. OSV-2025-489394. GHSA-q43x-79jr-cq985. GCVE-2025-48939

References

1. https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq982. https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.