GHSA-3527-qv2q-pfvx

Suggest an improvement
Source
https://github.com/advisories/GHSA-3527-qv2q-pfvx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-3527-qv2q-pfvx/GHSA-3527-qv2q-pfvx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3527-qv2q-pfvx
Aliases
Published
2025-05-05T20:40:36Z
Modified
2025-05-05T22:40:08.406878Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
league/commonmark contains a XSS vulnerability in Attributes extension
Details

Summary

Cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.

Details

The league/commonmark library provides configuration options such as html_input: 'strip' and allow_unsafe_links: false to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces.

As a result, even with the secure configuration shown above, an attacker can inject dangerous attributes into applications using this extension via a payload such as:

![](){onerror=alert(1)}

Which results in the following HTML:

<p><img onerror="alert(1)" src="" alt="" /></p>

Which causes the JS to execute immediately on page load.

Patches

Version 2.7.0 contains three changes to prevent this XSS attack vector:

Workarounds

If upgrading is not feasible, please consider:

Database specific
{
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:36Z"
}
References

Affected packages

Packagist / league/commonmark

Package

Name
league/commonmark
Purl
pkg:composer/league/commonmark

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.0

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.2.0
0.2.1
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.16.0
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.19.0
0.19.1
0.19.2
0.19.3

1.*

1.0.0-beta1
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-rc1
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7

2.*

2.0.0-beta1
2.0.0-beta2
2.0.0-beta3
2.0.0-rc1
2.0.0-rc2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2