Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ncHJqLTZtMmYtajloeM4AA_P_
DOM clobbering could escalate to Cross-site Scripting (XSS)
Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src.
It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies.
This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the XSS vector.
Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.
Original Report
If an attacker can inject benign html, such as:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
they can clobber document.currentScript.src leading to XSS in your library.
Here is the same attack on webpack that was accepted: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Permalink: https://github.com/advisories/GHSA-gprj-6m2f-j9hxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncHJqLTZtMmYtajloeM4AA_P_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Identifiers: GHSA-gprj-6m2f-j9hx, CVE-2024-45389
References:
- https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx
- https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
- https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb
- https://nvd.nist.gov/vuln/detail/CVE-2024-45389
- https://github.com/advisories/GHSA-gprj-6m2f-j9hx
Blast Radius: 11.8
Affected Packages
cargo:pagefind
Dependent packages: 1Dependent repositories: 0
Downloads: 69,572 total
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.11.0, 0.12.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0
All unaffected versions: 1.1.1
npm:@pagefind/modular-ui
Dependent packages: 0Dependent repositories: 0
Downloads: 725 last month
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.11.0, 0.12.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0
All unaffected versions: 1.1.1
npm:@pagefind/default-ui
Dependent packages: 5Dependent repositories: 33
Downloads: 167,455 last month
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.11.0, 0.12.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0
All unaffected versions: 1.1.1
npm:pagefind
Dependent packages: 3Dependent repositories: 48
Downloads: 248,936 last month
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.11.0, 0.12.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0
All unaffected versions: 1.1.1