CVE-2024-47068: DOM Clobbering Vulnerability in Rollup JavaScript Module Bundler

Rollup.js is a popular module bundler for JavaScript applications, which helps in optimizing code by reducing its size and improving its performance. However, it was recently discovered that certain versions of Rollup.js contain a DOM Clobbering security vulnerability. This post aims to provide in-depth information about this vulnerability (CVE-2024-47068), its impact, and recommended mitigations.

Vulnerability Details

Versions of Rollup.js prior to 2.79.2, 3.29.5, and 4.22.4 are affected by a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. DOM Clobbering occurs when an attacker can inject HTML elements with attributes that overwrite or "clobber" properties in the global JavaScript scope, causing unintended side effects in the web application. This can lead to cross-site scripting (XSS) attacks in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

The following code snippet illustrates how the DOM Clobbering vulnerability can be exploited

// Rollup script with import.meta.url in 'cjs', 'umd', or 'iife' format
const rollupConfig = {
  input: "src/index.js",
  output: {
    format: "cjs", // also vulnerable in 'umd' and 'iife' formats
    file: "dist/bundle.js"
  },
  plugins: [
    {
      resolveImportMeta(property) {
        return import.meta.${property};
      }
    }
  ]
};

const exampleUrl = import.meta.url; // vulnerable usage of import.meta.url

// Attacker injects HTML elements with 'name' attribute
<img name="url" src="xss_payload_here" />

With the above setup, an attacker can leverage the DOM Clobbering vulnerability to inject XSS payloads through scriptless HTML elements.

Original References

- Rollup.js GitHub Repository: https://github.com/rollup/rollup
- Rollup.js Releases Page (with patch details): https://github.com/rollup/rollup/releases
- DOM Clobbering Explained: https://portswigger.net/web-security/dom-based/dom-clobbering

Exploit Details

The exploit relies on the presence of attacker-controlled HTML elements with scriptless properties such as the name attribute. In pages where such unsanitized elements are present, an attacker can inject malicious scripts to perform the XSS attack. This can have several consequences, including stealing session cookies, exfiltrating sensitive data, or performing actions on the user's behalf.

Mitigations

To mitigate this vulnerability, it is essential to update Rollup.js to one of the following patched versions:

4.22.4

These versions contain a patch that prevents the DOM Clobbering vulnerability from being exploited in the identified formats (cjs, umd, iife).

Additionally, it is important to

1. Properly sanitize attacker-controlled data to prevent script injection through HTML element attributes.

Conclusion

The DOM Clobbering vulnerability in Rollup.js (CVE-2024-47068) presents a severe risk to web applications using older versions of the library. Updating to a patched version and implementing web security best practices, such as data sanitization and CSP, can help mitigate the risk posed by this vulnerability. Stay safe, and happy coding!

Timeline

Published on: 09/23/2024 16:15:06 UTC
Last modified on: 10/29/2024 16:15:05 UTC