mdast-util-to-hast Unsanitized Class Attribute Vulnerability Allowing Unrestricted Classnames on Code Elements
Vulnerability
A vulnerability in the mdast-util-to-hast package, specifically in versions 13.0.0 prior to 13.2.1, allows multiple unprefixed classnames to be added to markdown code elements via character references. This unsanitized class attribute could make user-supplied markdown code appear indistinguishable from the rest of the page. The issue has been patched in version 13.2.1.
Impact
Exploitation of this vulnerability could lead to the injection of unvalidated classnames into markdown code elements, potentially allowing for unauthorized styling or behavior on those elements.
Reproduction
To reproduce this vulnerability, create a markdown code block and include a language designation followed by a character reference that represents a space. For example, 'js xss' would be interpreted as JavaScript with an additional class for 'xss'. When rendered, this would create a code element that appears to have been sanitized, but could actually carry additional classes that might be exploited, such as by adding event listeners.
Remediation
Users can update to version 13.2.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.