CVE-2025-48939 is a medium-severity vulnerability affecting versions of the AmauriC tarteaucitron.js library prior to 1.22.0. Tarteaucitron.js is a widely used JavaScript library designed to provide compliant and accessible cookie consent banners on websites. The vulnerability stems from improper neutralization of special elements (CWE-138) related to the use of the document.currentScript property. Specifically, the script accesses document.currentScript without verifying that it actually references a <script> element. In certain browser environments, named DOM elements can become properties of the global document object. An attacker who can inject an HTML element with a name that conflicts with document.currentScript can cause the script to resolve incorrectly to that element instead of the intended <script> tag. This manipulation can lead to unexpected behavior, such as the failure to load the correct script path or the substitution of the CDN domain from which tarteaucitron.js is loaded. Such an attack requires the attacker to have the capability to inject HTML elements into the page, which typically implies some level of prior access or cross-site scripting (XSS) vulnerability. The impact of this vulnerability is primarily the potential for integrity and availability issues, as the script may fail to load or load maliciously altered resources. The issue was patched in version 1.22.0 by adding proper verification to ensure document.currentScript references the correct element. The CVSS v3.1 score is 4.2 (medium), reflecting the requirement for local access, low attack complexity, high privileges, and user interaction, with a scope change and limited impact on integrity and availability but no confidentiality loss. No known exploits are reported in the wild as of the publication date.

For European organizations, the impact of this vulnerability depends largely on the deployment of tarteaucitron.js on their public-facing websites or internal portals. Since tarteaucitron.js is designed to help with cookie consent compliance, it is likely used by organizations aiming to meet GDPR requirements, which are stringent in Europe. An attacker exploiting this vulnerability could manipulate the script loading process, potentially redirecting the script source to a malicious CDN or causing the cookie banner to malfunction. This could lead to incorrect cookie consent handling, undermining compliance efforts and exposing organizations to regulatory penalties. Additionally, if the script is loaded from an attacker-controlled source, it could be used as a vector for further client-side attacks, such as delivering malicious JavaScript payloads to users. This could compromise user trust, damage brand reputation, and potentially lead to broader security incidents. However, exploitation requires the attacker to have the ability to inject HTML elements into the affected pages, which may limit the practical risk unless combined with other vulnerabilities like XSS. The vulnerability could also disrupt website availability or user experience if the cookie banner fails to load correctly.

European organizations should immediately upgrade all instances of tarteaucitron.js to version 1.22.0 or later, where the vulnerability has been patched. Beyond upgrading, organizations should conduct thorough security reviews of their web applications to identify and remediate any HTML injection or cross-site scripting vulnerabilities that could enable an attacker to exploit this issue. Implementing Content Security Policy (CSP) headers can help restrict the domains from which scripts can be loaded, mitigating the risk of malicious CDN substitution. Additionally, validating and sanitizing all user inputs and HTML content before rendering is critical to prevent injection attacks. Organizations should also monitor their web traffic and script loading behavior for anomalies that might indicate exploitation attempts. Finally, maintaining an inventory of third-party JavaScript libraries and ensuring timely updates is essential for ongoing security hygiene.