CVE-2024-6531
Cross-Site Scripting (XSS) vulnerability in bootstrap (npm)
What is CVE-2024-6531 About?
This Cross-Site Scripting (XSS) vulnerability in Bootstrap affects the carousel component, where inadequate sanitization of `data-slide` and `data-slide-to` attributes allows exploitation through the `href` attribute of an `<a>` tag. Attackers can inject and execute arbitrary JavaScript code in the victim's browser, posing a significant risk. The ease of exploitation depends on the context of user-controlled input within the carousel component.
Affected Software
- bootstrap
- >4.0.0, <5.0.0
- >4.0.0, <5.0.0
- >4.0.0, <5.0.0
- bootstrap.sass
- >4.0.0, <5.0.0
- twbs/bootstrap
- >4.0.0, <5.0.0
- org.webjars:bootstrap
- >4.0.0, <5.0.0
- org.webjars.npm:bootstrap
- >4.0.0, <5.0.0
Technical Details
The vulnerability exists in the Bootstrap carousel component due to insufficient sanitization of input provided to the data-slide and data-slide-to attributes. An attacker can craft a malicious <a> tag within the carousel structure where the href attribute contains executable JavaScript code. When an unsuspecting user interacts with the compromised carousel element, the browser executes the injected script, leading to a Cross-Site Scripting (XSS) attack. This bypasses typical defenses because the attributes are not correctly validated before being rendered in the DOM, allowing direct script injection.
What is the Impact of CVE-2024-6531?
Successful exploitation may allow attackers to execute arbitrary JavaScript code in the victim's browser, leading to session hijacking, defacement of the website, redirecting users to malicious sites, or stealing sensitive user data.
What is the Exploitability of CVE-2024-6531?
Exploitation necessitates injecting malicious HTML content (specifically, an <a> tag with a crafted href attribute) into a Bootstrap carousel component. This typically requires the ability to submit or modify web page content, often via a user-controllable input field that is not properly sanitized. The attack is client-side and remote, targeting the victim's browser. Complexity can be moderate, depending on the sanitization mechanisms in place upstream. No specific authentication or privilege requirements are directly tied to the exploitation of the XSS itself, but the ability to inject content may rely on certain user roles or access levels within the application. Risk is heightened if the web application allows unprivileged users to contribute content containing HTML that is rendered within Bootstrap carousels.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-6531?
Available Upgrade Options
- org.webjars:bootstrap
- >4.0.0, <5.0.0 → Upgrade to 5.0.0
- org.webjars.npm:bootstrap
- >4.0.0, <5.0.0 → Upgrade to 5.0.0
- twbs/bootstrap
- >4.0.0, <5.0.0 → Upgrade to 5.0.0
- bootstrap
- >4.0.0, <5.0.0 → Upgrade to 5.0.0
- bootstrap.sass
- >4.0.0, <5.0.0 → Upgrade to 5.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2025/04/msg00021.html
- https://osv.dev/vulnerability/GHSA-vc8w-jr9v-vj7f
- https://www.herodevs.com/vulnerability-directory/cve-2024-6531
- https://lists.debian.org/debian-lts-announce/2025/04/msg00021.html
- https://github.com/twbs/bootstrap
- https://www.herodevs.com/vulnerability-directory/cve-2024-6531
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml
- https://nvd.nist.gov/vuln/detail/CVE-2024-6531
What are Similar Vulnerabilities to CVE-2024-6531?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-29007 , CVE-2023-28929 , CVE-2022-40156 , CVE-2022-32213
