CVE-2024-53384: tsup DOM Clobbering vulnerability
5.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.23629%
CWE
Published
3/3/2025
Updated
3/3/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tsup | npm | <= 8.3.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from tsup's handling of import.meta.url in browser contexts. The getImportMetaUrl function in cjs_shims.js directly references document.currentScript.src, which can be clobbered by attacker-controlled DOM elements (e.g., <img name='currentScript'>). This bypasses security checks as the code doesn't verify if document.currentScript is a valid <script> element. The GitHub Gist proof-of-concept and technical analysis confirm this pattern matches known DOM Clobbering attack vectors.