CVE-2025-48939 MEDIUM

CVE-2025-48939: tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript

Vendor Amauric
Product tarteaucitron.js
Weakness CWE-138
Published July 3, 2025
Last update July 3, 2025

CVSS base score

4.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.

Key dates

02Disclosure timeline

July 3, 2025 CVE published
July 3, 2025 Record updated