Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. stage-js
  4. ›
  5. CVE-2024-53386

CVE-2024-53386: Stage.js DOM Clobbering vulnerabilty

March 3, 2025 (updated June 30, 2025)

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

References

  • gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534
  • github.com/advisories/GHSA-fp3m-g5rc-4c28
  • github.com/piqnt/stage.js
  • github.com/piqnt/stage.js/blob/919f6e94b14242f6e6994141a9e1188439d306d5/lib/core.js
  • nvd.nist.gov/vuln/detail/CVE-2024-53386

Code Behaviors & Features

Detect and mitigate CVE-2024-53386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions up to 0.8.10

Solution

Unfortunately, there is no solution available yet.

Impact 4.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')

Source file

npm/stage-js/CVE-2024-53386.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Mon, 01 Sep 2025 12:18:23 +0000.