Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. prismjs
  4. ›
  5. CVE-2024-53382

CVE-2024-53382: PrismJS DOM Clobbering vulnerability

March 3, 2025 (updated June 30, 2025)

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

References

  • gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
  • github.com/PrismJS/prism
  • github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js
  • github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d
  • github.com/PrismJS/prism/pull/3863
  • github.com/advisories/GHSA-x7hr-w5r2-h6wg
  • nvd.nist.gov/vuln/detail/CVE-2024-53382

Code Behaviors & Features

Detect and mitigate CVE-2024-53382 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.30.0

Fixed versions

  • 1.30.0

Solution

Upgrade to version 1.30.0 or above.

Impact 4.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')

Source file

npm/prismjs/CVE-2024-53382.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 06 Sep 2025 12:18:37 +0000.