AIKIDO-2024-10288
rollup is vulnerable to Cross-site Scripting (XSS)
64
Medium Risk
This Affects:
rollupTL;DR
Affected versions of the package are vulnerable to Cross-site Scripting (XSS). The resulting compiled website may contain XSS vulnerabilities because of DOM Clobbering. This can lead to XSS in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
rollup is vulnerable to Cross-site Scripting (XSS) in versions 1.0.0 - 3.29.4 and 4.0.0 - 4.22.3.
How to fix this
Upgrade the rollup library to the patch version.
Links
Fix Commits
github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541Other
github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant