@nuxtjs Markdown Component Vulnerability Allows Cross-Site Scripting via JavaScript URLs

A cross-site scripting (XSS) vulnerability has been identified in the @nuxtjs/mdc library, specifically in versions through 0.13.2. The issue arises from an unsafe URL parsing logic in the markdown processing that fails to properly sanitize JavaScript URLs. This flaw allows the existing security measures, which aim to block harmful protocols like 'javascript:', to be bypassed. The vulnerability can be exploited by encoding JavaScript URLs with HTML entities, evading the library's deny-list approach to filtering potential threats. As a result, users who utilize this library to parse markdown from untrusted sources may inadvertently create XSS vulnerabilities through anchor links.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious JavaScript that is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use the '@nuxtjs/mdc' library to parse markdown that includes anchor links with 'javascript:' URLs. The parsing will not sanitize these links, allowing the JavaScript code to execute. This can be done by importing the 'parseMarkdown' function from '@nuxtjs/mdc/runtime' and using it to process the markdown containing the malicious links.

Remediation

Users are advised to upgrade to version 0.13.3 or later, where this vulnerability has been addressed.