tarteaucitron.js allows prototype pollution via custom text injection
- Severity:
- Medium
Description
A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input.
Recommendation
Update the tarteaucitronjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
- tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Tags:
- npm
- tarteaucitronjs
Anything's wrong? Let us know Last updated on April 07, 2025