High severityNVD Advisory· Published Sep 23, 2024· Updated Oct 29, 2024
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
CVE-2024-47068
Description
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rollupnpm | >= 3.0.0, < 3.29.5 | 3.29.5 |
rollupnpm | >= 4.0.0, < 4.22.4 | 4.22.4 |
rollupnpm | < 2.79.2 | 2.79.2 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/vitepkg:apk/chainguard/vitess-18pkg:apk/chainguard/vitess-18.0pkg:apk/chainguard/vitess-18.0-binariespkg:apk/chainguard/vitess-18-binariespkg:apk/chainguard/vitess-20pkg:apk/chainguard/vitess-20.0pkg:apk/chainguard/vitess-20.0-binariespkg:apk/chainguard/vitess-20.0-compatpkg:apk/chainguard/vitess-20-binariespkg:apk/chainguard/vitess-20-compatpkg:apk/wolfi/vitepkg:apk/wolfi/vitess-20pkg:apk/wolfi/vitess-20.0pkg:apk/wolfi/vitess-20.0-binariespkg:apk/wolfi/vitess-20.0-compatpkg:apk/wolfi/vitess-20-binariespkg:apk/wolfi/vitess-20-compatpkg:npm/rolluppkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 5.4.8-r0+ 19 more
- (no CPE)range: < 5.4.8-r0
- (no CPE)range: < 18.0.8-r16
- (no CPE)range: < 18.0.8-r0
- (no CPE)range: < 18.0.8-r0
- (no CPE)range: < 18.0.8-r16
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 5.4.8-r0
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.2-r2
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: >= 3.0.0, < 3.29.5
- (no CPE)range: < 0.7.0.4.git142.862ef23-1.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-gcx4-mw62-g8wmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47068ghsaADVISORY
- github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.tsghsax_refsource_MISCWEB
- github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.tsghsax_refsource_MISCWEB
- github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4ghsax_refsource_MISCWEB
- github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541ghsax_refsource_MISCWEB
- github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.