tarteaucitron.js allows url scheme injection via unfiltered inputs
Description
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to execution of arbitrary JavaScript code, theft of sensitive data through phishing attacks, or modification of the user interface behavior. This vulnerability is fixed in 1.20.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
tarteaucitron.js before 1.20.1 fails to validate URL schemes, allowing high-privilege attackers to inject javascript: links and execute arbitrary code.
Vulnerability
Overview
The tarteaucitron.js cookie banner library suffers from insufficient URL validation, tracked as CVE-2025-31476. In versions prior to 1.20.1, the getElemAttr function did not verify that user-supplied URLs use a secure scheme. An attacker with high privileges—such as access to the site's source code or a CMS plugin—could input a URL containing an insecure scheme like javascript:alert() [1][3].
Exploitation
Conditions
Exploitation requires that an attacker already has high privileges (e.g., editor/administrator in a CMS or direct code access). The malicious URL is then stored or rendered in a link element. When an end user clicks that link, the insecure scheme causes arbitrary JavaScript execution in the user's browser session. No additional authentication or network position is needed beyond the initial privileged access [1][4].
Impact
Successful exploitation leads to arbitrary JavaScript execution, which can be used to steal sensitive data (e.g., session cookies, credentials) via phishing attacks or to modify the user interface behavior. The impact is primarily on the client side, affecting any user who clicks the crafted link [1][4].
Mitigation
The vulnerability is fixed in tarteaucitron.js version 1.20.1. The fix, implemented in commit 2fa1e01, enforces strict URL validation that only allows URLs starting with http:// or https:// and also blocks the data-srcdoc attribute to prevent XSS [3]. Users should upgrade to version 1.20.1 or later.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarteaucitronjsnpm | < 1.20.1 | 1.20.1 |
Affected products
2- AmauriC/tarteaucitron.jsv5Range: < 1.20.1
Patches
12fa1e01023bcSecurity: check if url attr contain an url and disallow the data-srcdoc attr
2 files changed · +12 −1
tarteaucitron.js+11 −0 modified@@ -2438,8 +2438,19 @@ var tarteaucitron = { return tarteaucitron.getElemAttr(elem, 'height') || elem.clientHeight; }, "getElemAttr": function (elem, attr) { + var attribute = elem.getAttribute('data-' + attr) || elem.getAttribute(attr) || elem.getAttribute(attr.startsWith('data-') ? attr.slice(5) : attr); + // security: only allow real url on the url attr + if ((attr === 'url' || attr === 'data-url') && !/^https?:\/\/[^\s]+$/.test(elem.getAttribute(attr))) { + return ""; + } + + // security: disallow data-srcdoc attr to avoid xss + if (attr === 'srcdoc' || attr === 'data-srcdoc') { + attribute = elem.getAttribute('srcdoc'); + } + if (typeof attribute === 'string') { return tarteaucitron.fixSelfXSS(attribute); }
tarteaucitron.min.js+1 −1 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-p5g4-v748-6fh8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31476ghsaADVISORY
- github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02ghsax_refsource_MISCWEB
- github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.