tarteaucitron.js allows prototype pollution via custom text injection
- Severity:
- Medium
Description
A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input.
Recommendation
Update the tarteaucitronjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript - CVE-2025-48939
- Tags:
- npm
- tarteaucitronjs
Anything's wrong? Let us know Last updated on April 07, 2025