CVE-2024-53384 in tsup
Summary
by MITRE • 03/03/2025
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/01/2025
The vulnerability identified as CVE-2024-53384 represents a critical DOM Clobbering flaw within the tsup build tool version 8.3.4. This issue stems from improper handling of script execution contexts where attackers can manipulate the import.meta.url property to influence document.currentScript behavior in cjs_shims.js components. The vulnerability falls under the CWE-79 category of Cross-Site Scripting and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter. The flaw occurs when the build tool generates shim files that process module metadata in a manner susceptible to manipulation through crafted script references.
The technical exploitation of this vulnerability occurs through manipulation of the import.meta.url property which is typically used to determine the URL of the current module. When tsup processes modules and generates cjs_shims.js files, it creates a context where document.currentScript can be influenced by attacker-controlled input. This creates an opportunity for attackers to inject malicious code that executes within the browser context when these shims are loaded. The vulnerability is particularly dangerous because it leverages legitimate build tool functionality to create an attack vector that can bypass normal security restrictions.
The operational impact of CVE-2024-53384 extends beyond simple code execution to potentially compromise entire development environments and build pipelines. Attackers could exploit this vulnerability to inject malicious code into compiled bundles, affecting applications that depend on tsup for their build process. The vulnerability affects any project using tsup version 8.3.4 where the generated cjs_shims.js components are loaded in a browser context. This creates a significant risk for applications that dynamically load modules or where build artifacts are served to end users, as the malicious code execution could occur during normal application operation.
Mitigation strategies for CVE-2024-53384 should prioritize immediate version updates to tsup, as the vulnerability is resolved in subsequent releases. Organizations should also implement strict input validation for any module metadata processing and consider sandboxing build environments to limit potential attack surface. Security monitoring should focus on detecting anomalous script loading patterns and unexpected modifications to build artifacts. Additionally, developers should avoid using tsup in environments where untrusted code might be processed, and implement proper content security policies to prevent execution of unauthorized scripts. The vulnerability demonstrates the importance of proper context handling in build tools and highlights the need for security considerations in development toolchains rather than just runtime applications.