Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-24v3-254g-jv85

Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

Published
Dec 19, 2025
Updated
Dec 19, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
📦@tutao/tutanota-utils

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Users importing contacts from untrusted sources.

Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does not seem to be possible so no JS can be executed (which would also be prevented by CSP).

Technical details

The data is included as part of the mithril's hyperscript selector. It is possible to define a value like ][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh which will be included in the selector passed to Mithril and will be interpreted as part of the code.

Patches

https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b

Workarounds

Do not open contact viewer on unpatched versions. If the contact was opened, close the app or use keyboard shortcuts to switch to another part of the app.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@tutao/tutanota-utilsall versions314.251111.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @tutao/tutanota-utils. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @tutao/tutanota-utils to 314.251111.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-24v3-254g-jv85 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-24v3-254g-jv85 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-24v3-254g-jv85. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact Users importing contacts from untrusted sources. Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does *not* seem to be possible so no JS can be executed (which would also be prevented by CSP). ## Technical details The data is included as part of the [mithril's hyperscript selector](https://mithril.js.org/hyperscrip
O3 Security · Impact-Aware SCA

Is GHSA-24v3-254g-jv85 in your dependencies?

O3 detects GHSA-24v3-254g-jv85 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works