CVE-2025-31476 is a medium-severity cross-site scripting (XSS) vulnerability identified in the JavaScript library tarteaucitron.js, a widely used compliant and accessible cookie banner solution. The vulnerability stems from improper input validation during web page generation, specifically allowing a user with high privileges—such as those with access to the site's source code or CMS plugin—to insert URLs containing insecure schemes like "javascript:alert()". Prior to the fix in version 1.20.1, the library failed to sufficiently sanitize or neutralize these URLs, enabling arbitrary JavaScript execution when an end user clicks on a maliciously crafted link. This vulnerability is classified under CWE-79, which involves improper neutralization of input leading to XSS attacks. The CVSS v3.1 base score is 4.8 (medium), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. Exploitation requires a privileged user to insert malicious URLs and an end user to interact with the link, which could lead to execution of arbitrary JavaScript code, enabling phishing, theft of sensitive data, or UI manipulation. No known exploits in the wild have been reported as of the publication date (April 7, 2025).

For European organizations, the impact of this vulnerability can be significant, especially for websites and online services that rely on tarteaucitron.js for cookie consent management, which is common due to GDPR compliance requirements. An attacker with high privileges—such as a compromised administrator account or malicious insider—could embed malicious scripts that execute in the context of users visiting the site. This could lead to theft of personal data, session hijacking, or manipulation of the user interface to deceive users into divulging sensitive information. Given the widespread use of cookie banners in Europe, exploitation could undermine user trust and lead to regulatory penalties under GDPR if personal data is compromised. However, the requirement for high privileges and user interaction limits the attack surface to scenarios where internal access is already compromised or tightly controlled. The vulnerability does not affect availability but poses moderate risks to confidentiality and integrity of user data and site behavior.

Upgrade tarteaucitron.js to version 1.20.1 or later, where the vulnerability is fixed with improved URL validation and input neutralization. Implement strict access controls and monitoring on CMS and source code repositories to prevent unauthorized or malicious high-privilege user actions. Conduct regular code reviews and audits of any user-generated content or configuration inputs that may affect URL parameters or script execution. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and limit the impact of potential XSS attacks. Educate administrators and privileged users about the risks of inserting untrusted URLs or scripts into the site content. Use web application firewalls (WAF) with rules tuned to detect and block suspicious URL schemes and script injection attempts. Monitor logs for unusual activity related to URL modifications or privilege escalations that could indicate exploitation attempts.