Tsup DOM Clobbering Vulnerability Allowing Arbitrary Code Execution

A DOM clobbering vulnerability has been identified in Tsup version 8.3.4. This issue allows attackers to execute arbitrary code by injecting a crafted script into the import.meta.url, which is then referenced by document.currentScript in the cjs_shims.js components. The vulnerability arises because Tsup's handling of import.meta.url can be manipulated to execute unauthorized scripts.

Impact

Exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing for the execution of malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, bundle a JavaScript file with Tsup version 8.3.4. The bundled script can then be used on a webpage that contains an injected image element with an unsanitized name attribute. The injected image will be referenced as the current script, allowing the attacker to execute code by loading a script from an external URL.

Remediation

Users can update to Tsup version 8.3.5 or later, where this vulnerability has been patched. The patch involves checking that document.currentScript is a legitimate script element before using it.