Login Sign Up

CVE-2024-53386

4.9 MEDIUM
Cross-Site Scripting

📋 TL;DR

CVE-2024-53386 is a DOM clobbering vulnerability in Stage.js that allows attackers to inject HTML elements that shadow the document.currentScript property. This can lead to cross-site scripting (XSS) when untrusted HTML input is processed. Applications using Stage.js versions through 0.8.10 that accept user-controlled HTML content are affected.

💻 Affected Systems

Products:
  • Stage.js
Versions: through 0.8.10
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing untrusted HTML input that doesn't contain direct JavaScript but can contain HTML elements.

📦 What is this software?

Stage.js by Piqnt

View all CVEs affecting Stage.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full XSS exploitation allowing attackers to execute arbitrary JavaScript in victim browsers, potentially leading to session hijacking, data theft, or complete account compromise.

🟠

Likely Case

Limited XSS exploitation in specific contexts where user-controlled HTML is rendered, potentially enabling session hijacking or data exfiltration.

🟢

If Mitigated

No impact if proper input sanitization and Content Security Policy are implemented, or if user HTML input is not accepted.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to process attacker-controlled HTML input. Public proof-of-concept demonstrates the technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.11 or later

Vendor Advisory: https://github.com/piqnt/stage.js

Restart Required: No

Instructions:

1. Update Stage.js to version 0.8.11 or later. 2. Replace vulnerable code in lib/core.js lines 158-159 with patched version. 3. Test application functionality.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict HTML sanitization for all user-controlled input using libraries like DOMPurify.

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact.

🧯 If You Can't Patch

  • Disable processing of HTML input from untrusted sources.
  • Implement additional validation layers to reject HTML elements in user input.

🔍 How to Verify

Check if Vulnerable:

Check if Stage.js version is 0.8.10 or earlier and if the application processes user HTML input.

Check Version:

Check package.json or inspect the Stage.js library file for version information.

Verify Fix Applied:

Verify Stage.js version is 0.8.11 or later and test with known exploit payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML element patterns in user input
  • Multiple failed input validation attempts

Network Indicators:

  • HTTP requests containing suspicious HTML element patterns

SIEM Query:

Search for user input containing HTML elements like <script> or <img> with unusual attributes targeting document.currentScript

📊 Metadata

CVE ID: CVE-2024-53386
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-94
EPSS Score: 0.08% exploit probability (24.3th percentile)
Published: March 3, 2025
Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53386, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)