CVE-2025-1467
Description
Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This is related to SNYK-JS-TARTEAUCITRONJS-8366541
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-1467 is a medium-severity Cross-site Scripting (XSS) vulnerability in the tarteaucitronjs cookie consent library (versions < 1.17.0), exploitable via the getElemWidth() and getElemHeight() functions.
Vulnerability
Overview CVE-2025-1467 describes a stored/reflected Cross-site Scripting (XSS) vulnerability in the tarteaucitronjs library, which provides a cookie consent banner for GDPR compliance [1]. The flaw exists in versions prior to 1.17.0 and resides within the getElemWidth() and getElemHeight() functions [2]. An attacker can inject malicious script payloads through these functions, which are not properly sanitized, leading to script execution in the browser of any user viewing the affected page.
Exploitation
Details The attack vector is client-side, requiring an attacker to control an attribute or input that is passed to getElemWidth() or getElemHeight(). Since the library processes dimensions dynamically, an attacker can craft a string that, when used in these functions, escapes the intended context and injects JavaScript. This can be achieved without authentication if the function is called with attacker-controlled data, such as through a query parameter or a manipulated DOM element [4]. The issue is related to a previously reported SNYK-JS-TARTEAUCITRONJS-8366541 vulnerability [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, theft of sensitive cookies, defacement of the web page, or redirection to malicious sites. Since the vulnerable code is part of a cookie consent banner, the XSS can affect any site using the library without proper input validation [2].
Remediation
The vulnerability is fixed in tarteaucitronjs version 1.17.0 [2]. Users should upgrade without delay. No workarounds have been officially documented. The project maintainer was notified via the GitHub issue tracker, which also contains discussion about potential remaining attack surfaces [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarteaucitronjsnpm | < 1.17.0 | 1.17.0 |
Affected products
2- Range: <1.17.0
Patches
260685c52474b12490579001dFix potential xss on get width/height #1184
2 files changed · +3 −3
tarteaucitron.js+2 −2 modified@@ -2248,10 +2248,10 @@ var tarteaucitron = { return source; }, "getElemWidth": function(elem) { - return elem.getAttribute('width') || elem.clientWidth; + return tarteaucitron.getElemAttr(elem, 'width') || elem.clientWidth; }, "getElemHeight": function(elem) { - return elem.getAttribute('height') || elem.clientHeight; + return tarteaucitron.getElemAttr(elem, 'height') || elem.clientHeight; }, "getElemAttr": function (elem, attr) { var attribute = elem.getAttribute('data-' + attr) || elem.getAttribute(attr);
tarteaucitron.min.js+1 −1 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8wp9-x25p-8794ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1467ghsaADVISORY
- gist.github.com/Rudloff/d48f525215bd5426cbb076116c4422ddnvdWEB
- github.com/AmauriC/tarteaucitron.js/commit/12490579001d5caa187adcaecb01da570a12076bnvdWEB
- github.com/AmauriC/tarteaucitron.js/issues/1184nvdWEB
- security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-8731160nvdWEB
News mentions
0No linked articles in our index yet.