CVE-2024-53386: Stage.js DOM Clobbering vulnerabilty

March 3, 2025 (updated June 30, 2025)

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

References

gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534
github.com/advisories/GHSA-fp3m-g5rc-4c28
github.com/piqnt/stage.js
github.com/piqnt/stage.js/blob/919f6e94b14242f6e6994141a9e1188439d306d5/lib/core.js
nvd.nist.gov/vuln/detail/CVE-2024-53386

Code Behaviors & Features

Detect and mitigate CVE-2024-53386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →