CVE-2025-1467: 
JavaScript vulnerability analysis and mitigation

Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight() methods. The vulnerability was discovered on January 22, 2024, and was disclosed on February 9, 2025, receiving the identifier CVE-2025-1467. This vulnerability affects the tarteaucitronjs package, which provides compliance to the European cookie law (Snyk Advisory).

The vulnerability exists in the getElemWidth() and getElemHeight() methods of tarteaucitronjs, which directly use getAttribute() without proper sanitization. This is a follow-up to a previous vulnerability fixed in version 1.16.0. The fix implemented in version 1.17.0 involves modifying these methods to use the getElemAttr utility method to prevent XSS attacks (GitHub Issue, GitHub Commit).

The vulnerability allows for Cross-site Scripting (XSS) attacks, which could enable attackers to steal cookies, hijack user sessions, expose sensitive information, enable access to privileged services and functionality, and deliver malware. The attack requires active user interaction and has limited impact on integrity and confidentiality (Snyk Advisory).

Users should upgrade tarteaucitronjs to version 1.17.0 or higher, which contains the security fix. The fix involves using the getElemAttr utility method instead of direct attribute access for width and height values (Snyk Advisory).