tarteaucitron.js allows prototype pollution via custom text injection
Description
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution. An attacker with high privileges could exploit this vulnerability to modify object prototypes, affecting core JavaScript behavior, cause application crashes or unexpected behavior, or potentially introduce further security vulnerabilities depending on the application's architecture. This vulnerability is fixed in 1.20.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in tarteaucitron.js cookie banner allows attackers with high privileges to corrupt objects, leading to data corruption or code execution; patched in 1.20.1.
Vulnerability
CVE-2025-31475 describes a prototype pollution vulnerability in tarteaucitron.js, a cookie consent banner. The addOrUpdate function, which applies custom text configurations, failed to validate user-supplied input, allowing modification of JavaScript object prototypes [1][3].
Exploitation
An attacker with high privileges, such as direct access to the site's source code or a CMS plugin, can inject malicious input to pollute Object.prototype [1]. This requires the attacker to have control over the website's configuration or plugin settings.
Impact
Successful exploitation enables attackers to modify core JavaScript behavior, potentially causing application crashes, data corruption, or introducing further vulnerabilities depending on the application's architecture [1][3].
Mitigation
The vulnerability is fixed in version 1.20.1 of tarteaucitron.js [1]. The fix, implemented in commit 74c354c [4], explicitly blocks keys named __proto__ and constructor to prevent prototype pollution. Users should update to the latest version or apply the patch.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarteaucitronjsnpm | < 1.20.1 | 1.20.1 |
Affected products
3- Range: <1.20.1
- AmauriC/tarteaucitron.jsv5Range: < 1.20.1
Patches
174c354c413eePotential fix for code scanning alert no. 130: Prototype-polluting function
1 file changed · +7 −4
tarteaucitron.js+7 −4 modified@@ -2404,10 +2404,13 @@ var tarteaucitron = { Utility function to Add or update the fields of obj1 with the ones in obj2 */ for(var key in custom){ - if(custom[key] instanceof Object){ - source[key] = tarteaucitron.AddOrUpdate(source[key], custom[key]); - }else{ - source[key] = custom[key]; + if (key === "__proto__" || key === "constructor") continue; + if(custom.hasOwnProperty(key)){ + if(custom[key] instanceof Object){ + source[key] = tarteaucitron.AddOrUpdate(source[key], custom[key]); + }else{ + source[key] = custom[key]; + } } } return source;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4hwx-xcc5-2hfcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31475ghsaADVISORY
- github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5bghsax_refsource_MISCWEB
- github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-4hwx-xcc5-2hfcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.