CVE-2025-31475: tarteaucitron.js allows prototype pollution via custom text injection

April 7, 2025

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site’s source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution.

References

github.com/AmauriC/tarteaucitron.js
github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5b
github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-4hwx-xcc5-2hfc
github.com/advisories/GHSA-4hwx-xcc5-2hfc
nvd.nist.gov/vuln/detail/CVE-2025-31475

Code Behaviors & Features

Detect and mitigate CVE-2025-31475 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →