Skip to content

Update dependency @pagefind/default-ui to v1.1.1 [SECURITY] #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency @pagefind/default-ui to v1.1.1 [SECURITY] #54

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@​pagefind/default-ui 1.0.4 -> 1.1.1 age confidence

GitHub Vulnerability Alerts

CVE-2024-45389

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src.

It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:

<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>

This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies.

This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the XSS vector.

Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

Original Report

If an attacker can inject benign html, such as:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>

they can clobber document.currentScript.src leading to XSS in your library.

Here is the same attack on webpack that was accepted: GHSA-4vvj-4cpr-p986

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@height Height
Copy link

height bot commented Dec 6, 2024

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.

@bolt-new-by-stackblitz Bolt.new (by StackBlitz)
Copy link

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@netlify Netlify
Copy link

netlify bot commented Dec 6, 2024
edited
Loading

Deploy Preview for streetlifedigest failed. Why did it fail? →

Name Link
🔨 Latest commit fe48505
🔍 Latest deploy log https://app.netlify.com/projects/streetlifedigest/deploys/689f1cd6bb8f620007b1cc71

@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch 2 times, most recently from 72d157c to d336a56 Compare January 31, 2025 03:37
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from d336a56 to ad0f79b Compare February 9, 2025 19:08
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from ad0f79b to a14dcf9 Compare March 5, 2025 00:04
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch 3 times, most recently from 2aae078 to 5ff74bb Compare March 19, 2025 03:43
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 5ff74bb to 0e0a1a0 Compare April 2, 2025 03:27
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 0e0a1a0 to 9f5fff8 Compare April 9, 2025 03:58
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 9f5fff8 to a43f499 Compare April 26, 2025 00:05
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch 2 times, most recently from 27abaa5 to 4c880d0 Compare May 31, 2025 15:53
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 4c880d0 to bd00024 Compare June 6, 2025 15:40
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from bd00024 to 88b6301 Compare July 5, 2025 04:13
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 88b6301 to 39e6484 Compare August 11, 2025 03:43
@renovate renovate bot force-pushed the renovate/npm-pagefind-default-ui-vulnerability branch from 39e6484 to fe48505 Compare August 15, 2025 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants