CVE-2025-68457
MEDIUMOrejime < 2.3.2 - Cross-Site Scripting via Data Attribute Conversion
Title source: llmDescription
Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/boscop-fr/orejime/security/advisories/GHSA-72mh-hgpm-6384
Issue Tracking x_refsource_misc
https://github.com/boscop-fr/orejime/issues/142
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://github.com/boscop-fr/orejime/pull/143
Scores
CVSS v3
6.1
EPSS
0.0002
EPSS Percentile
6.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
boscop/orejime
< 2.3.2
npm/orejime
0 - 2.3.2npm
Published
Dec 19, 2025
Tracked Since
Feb 18, 2026