[Security] Bump rollup from 2.79.1 to 2.79.2
Bumps rollup from 2.79.1 to 2.79.2. This update includes a security fix.
Vulnerabilities fixed
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.
... (truncated)
Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4
Changelog
Sourced from rollup's changelog.
rollup changelog
4.22.5
2024-09-27
Bug Fixes
- Allow parsing of certain unicode characters again (#5674)
Pull Requests
- #5674: Fix panic with unicode characters (
@sapphi-red
,@lukastaegert
)- #5675: chore(deps): update dependency rollup to v4.22.4 [security] (
@renovate
[bot])- #5680: chore(deps): update dependency
@rollup/plugin-commonjs
to v28 (@renovate
[bot],@lukastaegert
)- #5681: chore(deps): update dependency
@rollup/plugin-replace
to v6 (@renovate
[bot])- #5682: chore(deps): update dependency
@rollup/plugin-typescript
to v12 (@renovate
[bot])- #5684: chore(deps): lock file maintenance minor/patch updates (
@renovate
[bot])4.22.4
2024-09-21
Bug Fixes
- Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)
Pull Requests
- #5670: refactor: Use object.prototype to check for reserved properties (
@YuHyeonWook
)- #5671: Fix DOM Clobbering CVE (
@lukastaegert
)4.22.3
2024-09-21
Bug Fixes
- Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)
Pull Requests
- #5669: Ensure impure dependencies of pure modules are added (
@lukastaegert
)4.22.2
2024-09-20
Bug Fixes
... (truncated)
Commits
-
c9bd03d
2.79.2 -
48aef33
fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts