Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/pagefind@0.8.0

Type npm

Namespace

Name pagefind

Version 0.8.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.1.1

Latest_non_vulnerable_version 1.1.1

Affected_by_vulnerabilities

url VCID-q9bp-vygk-9kak

vulnerability_id VCID-q9bp-vygk-9kak

summary

DOM clobbering could escalate to Cross-site Scripting (XSS)
Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`.

It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:
```html
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
```

This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies.

This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector.

Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

### Original Report

If an attacker can inject benign html, such as:
`<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>`

they can clobber `document.currentScript.src` leading to XSS in your library.

Here is the same attack on webpack that was accepted: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45389

reference_id

reference_type

scores

value	0.01215
scoring_system	epss
scoring_elements	0.79315
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45389

reference_url

https://github.com/CloudCannon/pagefind

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/CloudCannon/pagefind

reference_url

https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb

reference_url

https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx

reference_url

https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

reference_url

https://github.com/advisories/GHSA-gprj-6m2f-j9hx

reference_id

GHSA-gprj-6m2f-j9hx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gprj-6m2f-j9hx

fixed_packages

url	pkg:npm/pagefind@1.1.1
purl	pkg:npm/pagefind@1.1.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/pagefind@1.1.1

aliases CVE-2024-45389, GHSA-gprj-6m2f-j9hx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9bp-vygk-9kak

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pagefind@0.8.0

Package Instance