CVE-2023-32325: Potential for cross-site scripting in PostHog-js

May 27, 2023 (updated June 3, 2023)

Impact

Potential for cross-site scripting in posthog-js.

Patches

The problem has been patched in posthog-js version 1.57.2.

Workarounds

This isn’t an issue for sites that have a Content Security Policy in place.
Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.

References

We will publish details of the vulnerability in 30 days as per our security policy.

References

github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0
github.com/PostHog/posthog-js/pull/630
github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v
github.com/advisories/GHSA-8775-5hwv-wr6v

Detect and mitigate CVE-2023-32325 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →