tarteaucitron.js allows prototype pollution via custom text injection

Severity:: Medium

Description

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input.

Recommendation

Update the tarteaucitronjs package to the latest compatible version. Followings are version details:

Affected version(s): < 1.20.1
Patched version(s): 1.20.1

References

GHSA-4hwx-xcc5-2hfc
CVE-2025-31475
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Strapi Password Hashing is Missing Maximum Password Length Validation - CVE-2025-25298
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware - CVE-2025-59037
Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008

Tags:: npm; tarteaucitronjs

Anything's wrong? Let us know Last updated on April 07, 2025