tarteaucitron Cross-site Scripting (XSS)

Description

Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This is related to SNYK-JS-TARTEAUCITRONJS-8366541

Recommendation

Update the tarteaucitronjs package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.17.0
• Patched version(s): 1.17.0

References

• GHSA-8wp9-x25p-8794
• security.snyk.io
• CVE-2025-1467
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
• Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - vega-expression - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - vega-interpreter - CVE-2025-59840

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

tarteaucitronjs