CVE-2024-53382

MEDIUM

PrismJS < 1.29.0 - DOM Clobbering and Cross-Site Scripting via document.currentScript Shadowing

Title source: llm

Description

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

References (2)

Core 2

Core References

Exploit, Patch, Third Party Advisory

https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660

Product

https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259

View Writeup ZIP pw:eip

Scores

CVSS v3 4.9

EPSS 0.0029

EPSS Percentile 21.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (2)

npm/prismjs 0 - 1.30.0npm

prismjs/prism < 1.29.0

Published Mar 03, 2025

Tracked Since Feb 18, 2026