CVE-2025-31475: 
JavaScript vulnerability analysis and mitigation

tarteaucitron.js, a compliant and accessible cookie banner, was found to contain a vulnerability (CVE-2025-31475) in versions prior to 1.20.1. The vulnerability was discovered in the addOrUpdate function, which is used for applying custom texts, where input validation was improperly implemented. This security issue was disclosed on April 7, 2025, affecting all versions of tarteaucitron.js before version 1.20.1 (GitHub Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The issue received a CVSS v3.1 score of 5.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the addOrUpdate function, which failed to properly validate input when applying custom texts, potentially allowing manipulation of JavaScript object prototypes (GitHub Advisory).

The vulnerability could allow an attacker with high privileges to modify object prototypes, affecting core JavaScript behavior, cause application crashes or unexpected behavior, and potentially introduce further security vulnerabilities depending on the application's architecture. This could lead to data corruption or unintended code execution (GitHub Advisory).

The vulnerability has been fixed in version 1.20.1 of tarteaucitron.js. The fix ensures that user-controlled inputs cannot modify JavaScript object prototypes by implementing proper input validation. The patch can be found in commit 74c354c (GitHub Commit).