Mistune Markdown Parser Image Directive CSS Injection Vulnerability

A CSS injection vulnerability has been identified in the Image directive plugin of the Mistune Markdown parser, prior to version 3.2.1. The vulnerability arises because the plugin's validation for the :width: and :height: options allows non-integer values to be injected into style attributes without proper escaping. This flaw can be exploited by inserting arbitrary CSS properties, creating a full-page overlay that obscures legitimate content and could be used for phishing attacks.

Impact

Exploitation of this vulnerability allows for arbitrary CSS injection via the Image directive, with the potential to create a full-page overlay that obscures all content and could be used for phishing attacks, according to the vulnerability report.

Reproduction

The vulnerability can be reproduced by using the Mistune Markdown parser with the Image directive plugin. First, validate the :width: and :height: options with plain integers to establish a baseline. Then, inject a :width: value that starts with a digit but includes additional CSS instructions, such as '100vw;height:100vh;position:fixed', along with other styling properties. When the Markdown is rendered, the injected CSS will be applied to the image element, creating a fixed overlay that covers the entire viewport.

Remediation

Users are advised to update Mistune to version 3.2.1 or later, where this vulnerability has been fixed.