Description
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.
Published: 2026-01-13
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Upgrade
AI Analysis

Impact

A Regular Expression Denial of Service (ReDoS) flaw was discovered in tarteaucitron.js that is triggered when processing the issuu_id parameter. The vulnerable regular expression can be fed a specially crafted value that causes the JavaScript engine to perform an exponential amount of work, leading to significant CPU usage and a potential denial of service for end users. The impact is limited to application availability; confidentiality and integrity are not directly affected.

Affected Systems

The vulnerability affects all releases of tarteaucitron.js older than version 1.29.0 from the AmauriC project. Any deployment using the library prior to 1.29.0 is susceptible to ReDoS when a malicious issuu_id is supplied.

Risk and Exploitability

The CVSS score of 4.4 classifies this flaw as low to moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to provide a crafted issuu_id value, which could come from an attacker's controlled web page embedding the script or an injected request. The requirement for user-supplied input keeps the threat realistic in scenarios where the banner is exposed to untrusted input sources.

Generated by OpenCVE AI on April 18, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tarteaucitron.js to version 1.29.0 or later.
  • Validate the issuu_id input against a strict regex or known GUID format before passing to the library.
  • Implement rate limiting or input size restrictions on the issuu_id parameter to prevent repeated ReDoS attempts.

Generated by OpenCVE AI on April 18, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5f6-qxm2-mcqm tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability
History

Tue, 20 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:amauri:tarteaucitronjs:*:*:*:*:*:node.js:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Amauri
Amauri tarteaucitronjs
Vendors & Products Amauri
Amauri tarteaucitronjs

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.
Title tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Amauri Tarteaucitronjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:47:24.567Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22809

cve-icon Vulnrichment

Updated: 2026-01-13T19:47:21.789Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:11.263

Modified: 2026-01-20T16:49:02.293

Link: CVE-2026-22809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses