CVE-2024-47068

CVE-2024-47068 is a medium-severity vulnerability in Rollupjs Rollup with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.

Frequently asked questions

What is CVE-2024-47068?
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.
How severe is CVE-2024-47068?
CVE-2024-47068 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2024-47068 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-47068?
CVE-2024-47068 affects Rollupjs Rollup. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-47068?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-47068 have an EU (EUVD) identifier?
Yes. CVE-2024-47068 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2800.
When was CVE-2024-47068 published?
CVE-2024-47068 was published on 2024-09-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Rollupjs Rollup

All CVEs affecting Rollupjs Rollup →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →