CVE-2024-53384: 
JavaScript vulnerability analysis and mitigation

A DOM Clobbering vulnerability was discovered in tsup version 8.3.4, identified as CVE-2024-53384. The vulnerability allows attackers to execute arbitrary code via a crafted script by manipulating the import.meta.url to document.currentScript in cjs_shims.js components (NVD).

The vulnerability exists in the cjs_shims.js file where tsup translates import.meta.url to document.currentScript to determine the URL of the current script. The vulnerable code fails to properly verify that document.currentScript is a legitimate script element, allowing attackers to inject HTML elements that can be referenced as document.currentScript, thereby controlling the importMetaUrl value. The vulnerability has received a CVSS 3.1 Base Score of 5.1 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (GitHub POC).

When successfully exploited, this vulnerability allows attackers to perform cross-site scripting (XSS) attacks in web pages where scriptless attacker-controlled HTML elements are present. The impact is particularly significant due to tsup's popularity among JavaScript projects (GitHub POC).

A recommended fix involves verifying that document.currentScript is specifically a script element by checking the tagName property. The patch should include adding a condition: document.currentScript.tagName.toUpperCase() === 'SCRIPT' before accepting the currentScript value (GitHub POC).