CVE-2025-31476 – A cross-site scripting (XSS) vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2025-31476?

CVE-2025-31476 has a CVSS score of 4.8 (MEDIUM). A cross-site scripting (XSS) vulnerability in tarteaucitron.js allows privileged users to inject malicious JavaScript links into cookie banners. When clicked by other users, these links can execute arbitrary JavaScript in the victim's browser context. This affects websites using vulnerable versions of tarteaucitron.js for cookie consent management.

📋 TL;DR

A cross-site scripting (XSS) vulnerability in tarteaucitron.js allows privileged users to inject malicious JavaScript links into cookie banners. When clicked by other users, these links can execute arbitrary JavaScript in the victim's browser context. This affects websites using vulnerable versions of tarteaucitron.js for cookie consent management.

💻 Affected Systems

Products:

tarteaucitron.js

Versions: All versions before 1.20.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker with high privileges (source code or CMS plugin access). Drupal modules using tarteaucitron.js may also be affected.

📦 What is this software?

Tacjs by Tacjs Project

View all CVEs affecting Tacjs →

Tarteaucitronjs by Amauri

View all CVEs affecting Tarteaucitronjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker steals session cookies, credentials, or sensitive data via phishing, performs account takeover, or modifies UI to trick users into harmful actions.

🟠

Likely Case

Privileged user (e.g., compromised admin) inserts malicious link that executes JavaScript when clicked, potentially stealing limited session data or redirecting users.

🟢

If Mitigated

With proper input validation and least privilege controls, impact is limited to low-privilege users clicking crafted links with minimal data exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires privileged access to inject malicious URL. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.1

Vendor Advisory: https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8

Restart Required: No

Instructions:

1. Update tarteaucitron.js to version 1.20.1 or later. 2. Replace the tarteaucitron.js file in your project with the patched version. 3. Clear any caches (browser, CDN, server). 4. Test cookie banner functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject URLs with javascript: or other dangerous schemes in tarteaucitron.js configuration inputs.

Implement regex filter: /^(?!javascript:|data:|vbscript:).*/i on URL inputs

🧯 If You Can't Patch

Restrict administrative access to only trusted users with strong authentication.
Implement Content Security Policy (CSP) with script-src directives to limit JavaScript execution.

🔍 How to Verify

Check if Vulnerable:

Check if tarteaucitron.js version is below 1.20.1 in your website's source code or dependencies.

Check Version:

grep -r 'tarteaucitron' package.json or check script tag src attribute in HTML

Verify Fix Applied:

Confirm tarteaucitron.js version is 1.20.1 or higher and test that javascript: URLs are blocked in cookie banner links.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity inserting URLs with javascript: schemes
Error logs from URL validation failures

Network Indicators:

HTTP requests containing javascript: URLs in parameters

SIEM Query:

search 'javascript:' in web application logs or admin panel access logs

📊 Metadata

CVE ID: CVE-2025-31476

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.21% exploit probability (43.6th percentile)

Published: April 7, 2025

Last Updated: September 4, 2025

🔗 References

https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02 Patch
https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8 Third Party Advisory
https://www.drupal.org/sa-contrib-2025-027 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31476, you might also want to check these: