4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31476

GHSA ID

GHSA-p5g4-v748-6fh8

EPSS Score

0.11887%

CWE

CWE-79

Published

4/7/2025

Updated

4/7/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31476

CVE-2025-31476:
tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.

Impact

An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:

Execution of arbitrary JavaScript code
Theft of sensitive data through phishing attacks
Modification of the user interface behavior

Fix https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02

The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31476

GHSA ID

GHSA-p5g4-v748-6fh8

EPSS Score

0.11887%

CWE

CWE-79

Published

4/7/2025

Updated

4/7/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tarteaucitronjs	npm	< 1.20.1	1.20.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patch modifies the getElemAttr function to add validation for URL attributes and restrict srcdoc handling. This indicates:

The function was responsible for processing element attributes including URLs
Pre-patch versions lacked proper scheme validation (allowed javascript:)
The function's output was used in contexts where unvalidated URLs could trigger XSS
The vulnerability manifests when this function processes malicious 'url' or 'srcdoc' attributes, which would appear in stack traces during exploitation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s i**nti*i** in `t*rt**u*itron.js`, *llowin* * us*r wit* *i** privil***s (****ss to t** sit*'s sour** *o** or * *MS plu*in) to *nt*r * URL *ont*inin* *n ins**ur* s***m* su** *s `j*v*s*ript:*l*rt()`. ***or* t** *ix, URL v*li**tion w*

Reasoning

T** s**urity p*t** mo*i*i*s t** **t*l*m*ttr *un*tion to *** v*li**tion *or URL *ttri*ut*s *n* r*stri*t sr**o* **n*lin*. T*is in*i**t*s: *. T** *un*tion w*s r*sponsi*l* *or pro**ssin* *l*m*nt *ttri*ut*s in*lu*in* URLs *. Pr*-p*t** v*rsions l**k** pro

4.8

Basic Information

Concerned about an active attack path?

CVE-2025-31476: tarteaucitron.js allows url scheme injection via unfiltered inputs

Impact

Fix https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-31476:
tarteaucitron.js allows url scheme injection via unfiltered inputs

Vulnerability Intelligence
Miggo AI