CVE-2024-56510 – @marp-team/marp-core

Package

Manager: npm
Name: @marp-team/marp-core
Vulnerable Version: >=3.0.2 <3.9.1 || =4.0.0 || >=4.0.0 <4.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00112 pctl0.30443

Details

Marp Core allows XSS by improper neutralization of HTML sanitization Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization. ### Impact Marp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS). ### Patches Marp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that. ### Workarounds If you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor. ```javascript const marp = new Marp({ html: false }) ``` ### References - [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html) - https://github.com/marp-team/marp-core/pull/282 - https://github.com/marp-team/marp-core/commit/61a1def244d1b6faa8e2c0be97ec0b68cab3ab49 ### Credits Thanks to @Ry0taK for finding out this vulnerability.

Metadata

Created: 2024-12-26T18:25:25Z
Modified: 2024-12-26T21:45:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-x52f-h5g4-8qv5/GHSA-x52f-h5g4-8qv5.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-x52f-h5g4-8qv5
Finding: F008
Auto approve: 1