Headline
GHSA-p5g4-v748-6fh8: tarteaucitron.js allows url scheme injection via unfiltered inputs
A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site’s source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.
Impact
An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:
- Execution of arbitrary JavaScript code
- Theft of sensitive data through phishing attacks
- Modification of the user interface behavior
Fix https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02
The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used.
A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site’s source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.
Impact
An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:
- Execution of arbitrary JavaScript code
- Theft of sensitive data through phishing attacks
- Modification of the user interface behavior
Fix AmauriC/tarteaucitron.js@2fa1e01
The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used.
References
- GHSA-p5g4-v748-6fh8
- https://nvd.nist.gov/vuln/detail/CVE-2025-31476
- AmauriC/tarteaucitron.js@2fa1e01