4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-53386

GHSA ID

GHSA-fp3m-g5rc-4c28

EPSS Score

0.16743%

CWE

CWE-94

Published

3/3/2025

Updated

3/3/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53386

CVE-2024-53386: Stage.js DOM Clobbering vulnerabilty

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-53386

GHSA ID

GHSA-fp3m-g5rc-4c28

EPSS Score

0.16743%

CWE

CWE-94

Published

3/3/2025

Updated

3/3/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
stage-js	npm	<= 0.8.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Stage.js's URL resolution logic in Class.resolve. The nested getScriptSrc function (lines 158-159 in core.js) relies on document.currentScript which is vulnerable to DOM clobbering via elements like <img name='currentScript'>. This allows attackers to control the base URL used for script loading, enabling malicious script injection. The provided PoC demonstrates this by overriding document.currentScript.src to load external resources. The direct use of document.currentScript without DOM clobbering protections makes this function the primary vulnerability vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

St***.js t*rou** *.*.** *llows *OM *lo***rin* (wit* r*sult*nt XSS *or untrust** input t**t *ont*ins *TML *ut *o*s not *ir**tly *ont*in J*v*S*ript), ****us* *o*um*nt.*urr*ntS*ript lookup **n ** s***ow** *y *tt**k*r-inj**t** *TML *l*m*nts.

Reasoning

T** vuln*r**ility st*ms *rom `St***.js`'s URL r*solution lo*i* in `*l*ss.r*solv*`. T** n*st** `**tS*riptSr*` *un*tion (lin*s ***-*** in `*or*.js`) r*li*s on `*o*um*nt.*urr*ntS*ript` w*i** is vuln*r**l* to *OM *lo***rin* vi* *l*m*nts lik* `<im* n*m*='

4.9

Basic Information

Concerned about an active attack path?

CVE-2024-53386: Stage.js DOM Clobbering vulnerabilty

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI