GHSA-4fh9-h7wg-q85m

Suggest an improvement
Source
https://github.com/advisories/GHSA-4fh9-h7wg-q85m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4fh9-h7wg-q85m/GHSA-4fh9-h7wg-q85m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4fh9-h7wg-q85m
Aliases
Published
2025-12-02T01:25:46Z
Modified
2025-12-02T01:59:16.175729Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
mdast-util-to-hast has unsanitized class attribute
Details

Impact

Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown:

```js xss
```

Would create <pre><code class="language-js xss"></code></pre> If your page then applied .xss classes (or listeners in JS), those apply to this element. For more info see https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute

Patches

The bug was patched. When using regular semver, run npm install. For exact ranges, make sure to use 13.2.1.

Workarounds

Update.

References

  • bug introduced in https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403
  • bug fixed in https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7
Database specific 
{
    "cwe_ids": [
        "CWE-20",
        "CWE-915"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2025-12-02T01:25:46Z",
    "nvd_published_at": "2025-12-01T23:15:53Z",
    "github_reviewed": true
}
References

Affected packages

npm / mdast-util-to-hast

Package

Name
mdast-util-to-hast
View open source insights on deps.dev
Purl
pkg:npm/mdast-util-to-hast

Affected ranges

Type
SEMVER
Events
Introduced
13.0.0
Fixed
13.2.1