CVE-2025-68457 is a cross-site scripting (CWE-79) vulnerability affecting Orejime, a consent management tool designed with accessibility in mind. The vulnerability arises from Orejime's handling of HTML data attributes prior to version 2.3.2. Specifically, if an attacker can inject HTML containing data attributes with embedded javascript: URIs (e.g., data-href="javascript:..."), Orejime's consent processing logic converts these data attributes into standard attributes (e.g., data-href becomes href) when the user consents to a related purpose. This conversion causes the embedded JavaScript code to execute in the victim's browser context. The vulnerability requires that an attacker first be able to inject HTML into the page, which is generally difficult since Orejime elements are typically hardcoded and not user-controllable. The CVSS 4.0 score is 1.7 (low severity), reflecting the limited attack surface and lack of user interaction or privileges required. The vulnerability was publicly disclosed on December 19, 2025, and fixed in Orejime version 2.3.2. No known exploits have been reported in the wild. Mitigation can be achieved by upgrading to 2.3.2 or sanitizing any attributes that could contain executable code outside of Orejime.

For European organizations, the impact of this vulnerability is generally low due to the requirement for HTML injection, which is typically prevented by secure coding practices and content security policies. However, if an attacker can inject malicious HTML into pages using vulnerable Orejime versions, they could execute arbitrary JavaScript in the context of the affected website, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of users. This could compromise confidentiality and integrity of user data and reduce trust in the affected service. Organizations handling sensitive user consent data or operating in regulated sectors (e.g., finance, healthcare) should consider the reputational and compliance risks. Since Orejime is a consent manager, improper handling of consent data could also have privacy implications under GDPR if exploited.

1. Upgrade Orejime to version 2.3.2 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on any user-controllable inputs that could be rendered as HTML attributes, especially those that might be processed by Orejime. 3. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and javascript: URIs. 4. Conduct code reviews and penetration testing focused on injection points to ensure no HTML injection is possible in pages using Orejime. 5. Monitor for unusual client-side script execution or consent-related anomalies that could indicate exploitation attempts. 6. Educate developers and administrators about the risks of improper attribute handling and the importance of secure consent management configurations.