Headline

GHSA-7524-3396-fqv3: tarteaucitron.js allows UI manipulation via unrestricted CSS injection

A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site’s source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks.

Impact

An attacker with high privileges could exploit this vulnerability to:

Overlay malicious UI elements on top of legitimate content,
Trick users into interacting with hidden elements (clickjacking),
Disrupt the intended functionality and accessibility of the website.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07

The issue was resolved by enforcing strict validation and sanitization of user-provided CSS values to prevent unintended UI manipulation.

1 month ago

ghsa

Open in Source

#vulnerability #web #nodejs #js #git #perl

GitHub Advisory Database
GitHub Reviewed
CVE-2025-31138

tarteaucitron.js allows UI manipulation via unrestricted CSS injection

Moderate severity GitHub Reviewed Published Apr 7, 2025 in AmauriC/tarteaucitron.js • Updated Apr 7, 2025

Package

npm tarteaucitronjs (npm)

Affected versions

< 1.20.1

A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site’s source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks.

Impact

An attacker with high privileges could exploit this vulnerability to: