CVE-2025-31138: tarteaucitron.js allows UI manipulation via unrestricted CSS injection

April 7, 2025

A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site’s source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks.

References

github.com/AmauriC/tarteaucitron.js
github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07
github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-7524-3396-fqv3
github.com/advisories/GHSA-7524-3396-fqv3
nvd.nist.gov/vuln/detail/CVE-2025-31138

Code Behaviors & Features

Detect and mitigate CVE-2025-31138 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →