Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2025-48939

CVE-2025-48939:
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript

4.2

CVSS Score

Basic Information

CVE ID
CVE-2025-48939
GHSA ID
GHSA-q43x-79jr-cq98
EPSS Score
-
CWE
CWE-138
Published
7/3/2025
Updated
7/3/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
tarteaucitronjsnpm< 1.22.01.22.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security vulnerability is a classic case of DOM Clobbering in tarteaucitron.js. The provided commit 230a3b69d363837acfa895823d841e0608826ba3 clearly shows the vulnerable code and the fix. The vulnerability is not within a specific function but in the script's global scope, which executes when the script is loaded by the browser. The line tarteaucitronPath = (document.currentScript || scripts[scripts.length - 1]).src.split('?')[0] is the source of the issue. It fails to verify the type of document.currentScript before accessing its src property. An attacker can exploit this by creating a DOM element with name="currentScript", which overwrites the legitimate document.currentScript object. The patch addresses this by explicitly checking if document.currentScript is an instance of HTMLScriptElement. Since this code is executed at the top level, a runtime profiler would likely attribute this execution to the global scope, which is why (global scope) is used as the function name.

Vulnerable functions

(global scope)
tarteaucitron.js
The vulnerability lies in the global scope of `tarteaucitron.js`, where the `tarteaucitronPath` variable is initialized. The code directly accesses `document.currentScript.src` without validating that `document.currentScript` is a `<script>` element. An attacker can inject a crafted HTML element like `<img name="currentScript">` to clobber the `document.currentScript` property. This makes the script reference the malicious element's `src` attribute, allowing an attacker to control the path from which subsequent resources are loaded.

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s i**nti*i** in t*rt**u*itron.js w**r* *o*um*nt.*urr*ntS*ript w*s ****ss** wit*out v*ri*yin* t**t it r***r*n*** *n **tu*l `<s*ript>` *l*m*nt. I* *n *tt**k*r inj**t** *n *TML *l*m*nt su** *s: ``` <im* n*m*="*urr*ntS*ript" sr*="*ttps

Reasoning

T** s**urity vuln*r**ility is * *l*ssi* **s* o* *OM *lo***rin* in `t*rt**u*itron.js`. T** provi*** *ommit `****************************************` *l**rly s*ows t** vuln*r**l* *o** *n* t** *ix. T** vuln*r**ility is not wit*in * sp**i*i* *un*tion *u