Safeguard
Vulnerabilities

CVE-2019-8331: The Bootstrap XSS Vulnerability, Explained

CVE-2019-8331 let attackers inject script through Bootstrap's tooltip and popover template options, a pattern that recurred across several Bootstrap CVEs before 4.3.1 finally closed it.

Safeguard Research Team
Research
4 min read

CVE-2019-8331 is a cross-site scripting vulnerability in Bootstrap versions before 4.3.1, where the tooltip, popover, and toast components' template and title options could be used to inject and execute attacker-controlled HTML and script if that input wasn't sanitized before being passed to the component. Bootstrap is one of the most widely used front-end frameworks in existence, which is exactly why a component-level XSS in it kept resurfacing across multiple CVEs rather than being a one-off bug.

What made the tooltip and popover components vulnerable?

The vulnerability existed because Bootstrap's tooltip and popover components render their data-template option as HTML, and if an application passed unsanitized user input into that option — directly or through a wrapper library — the rendered output could include executable script. This is a classic DOM-based XSS pattern: the vulnerable sink isn't a server-side template, it's a client-side component that trusts its configuration input more than it should. In practice, exploitation required:

  • An application passing user-controlled data into a tooltip's title, content, or template configuration, rather than a hardcoded string.
  • No sanitization step between that user input and the component initialization.
  • A Bootstrap version before 4.3.1, where this specific rendering path hadn't yet been hardened.

Was this the only Bootstrap XSS issue around this time?

No — Bootstrap had a run of related XSS CVEs across its 3.x and early 4.x tooltip/popover/affix code, reflecting that the underlying pattern (rendering configuration options as HTML without sanitization) took more than one release to fully close. Teams auditing an older Bootstrap dependency should check the actual pinned version against the full set of relevant advisories, not just this single CVE, since a codebase stuck on an old 3.x or early 4.x release could be affected by more than one of them simultaneously.

How would a scanner catch this today?

A JavaScript vulnerability scanner or dependency scanner catches this the same way it catches any known-CVE frontend library issue: by matching the declared Bootstrap version in your package.json or bundled asset against the CVE database, then flagging it as needing an upgrade. The harder part isn't detection — it's confirming actual exploitability, since many projects pull in Bootstrap's CSS without ever wiring user input into the vulnerable tooltip/popover options, which makes the theoretical CVE present but practically unreachable in that specific codebase.

How do you fix it?

Upgrade to Bootstrap 4.3.1 or later, where the vulnerable rendering path was patched. If an upgrade isn't immediately possible, the interim mitigation is to ensure no user-controlled input reaches the template, title, or content options of tooltip, popover, or toast components without being sanitized first — treating those options the same way you'd treat any other HTML-rendering sink in your application.

FAQ

Does CVE-2019-8331 affect Bootstrap 5?

No — Bootstrap 5 postdates this fix and rewrote significant portions of its component internals. This CVE is specific to Bootstrap versions before 4.3.1.

Is this vulnerability exploitable without any user input involved?

No. Exploitation requires an application path where user-controlled data reaches the vulnerable tooltip/popover configuration options — a static site using default Bootstrap components with no dynamic tooltip content isn't practically exploitable through this specific CVE.

How do I check what Bootstrap version my project uses?

Check package.json for an npm-installed copy, or inspect the bundled CSS/JS file's header comment for a version string if it was downloaded directly rather than installed via a package manager.

Are there other frontend frameworks with similar tooltip-rendering XSS issues?

Yes — any component library that renders configuration strings as HTML rather than as escaped text is a candidate for the same class of bug, which is why sanitizing any user input reaching a rendering sink matters regardless of framework.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.