GHSA-3527-qv2q-pfvx

Source

https://github.com/advisories/GHSA-3527-qv2q-pfvx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-3527-qv2q-pfvx/GHSA-3527-qv2q-pfvx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3527-qv2q-pfvx

Aliases

CVE-2025-46734

Published

2025-05-05T20:40:36Z

Modified

2025-05-05T22:40:08.406878Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

league/commonmark contains a XSS vulnerability in Attributes extension

Details

Summary

Cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.

Details

The league/commonmark library provides configuration options such as html_input: 'strip' and allow_unsafe_links: false to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces.

As a result, even with the secure configuration shown above, an attacker can inject dangerous attributes into applications using this extension via a payload such as:

![](){onerror=alert(1)}

Which results in the following HTML:

<p><img onerror="alert(1)" src="" alt="" /></p>

Which causes the JS to execute immediately on page load.

Patches

Version 2.7.0 contains three changes to prevent this XSS attack vector:

All attributes starting with on are considered unsafe and blocked by default
Support for an explicit allowlist of allowed HTML attributes
Manually-added href and src attributes now respect the existing allow_unsafe_links configuration option

Workarounds

If upgrading is not feasible, please consider:

Disabling the AttributesExtension for untrusted users
Filtering the rendered HTML through a library like HTMLPurifier

Database specific

{
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:36Z"
}

References

Affected packages

Packagist / league/commonmark

Package

Name: league/commonmark
Purl: pkg:composer/league/commonmark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.0

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.3.0

0.4.0

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.8.0

0.9.0

0.10.0

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.14.0

0.15.0

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

0.15.7

0.16.0

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.18.5

0.19.0

0.19.1

0.19.2

0.19.3

1.*

1.0.0-beta1

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-rc1

1.0.0

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

2.*

2.0.0-beta1

2.0.0-beta2

2.0.0-beta3

2.0.0-rc1

2.0.0-rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2