CVE-2025-31476 — tarteaucitron.js allows url scheme injection via unfiltered inputs

Description

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

How to fix CVE-2025-31476

To remediate CVE-2025-31476, upgrade the affected package to a fixed version below.

—upgrade to 1.20.1 or later
—upgrade to 6.7.0 or later

Is CVE-2025-31476 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.20.1
from 0, < 6.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-31476
PATCHgithub.com/AmauriC/tarteaucitron.js
WEBgithub.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02
WEBgithub.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8