CVE-2022-41709 – electron-markdownify

Package

Manager: npm
Name: electron-markdownify
Vulnerable Version: >=0 <=1.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0005 pctl0.15083

Details

Markdownify subject to Remote Code Execution via malicious markdown file Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled. There are currently no patched versions and no known workarounds.

Metadata

Created: 2022-10-19T19:00:17Z
Modified: 2025-05-08T22:10:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-c942-mfmp-p4fh/GHSA-c942-mfmp-p4fh.json
CWE IDs: ["CWE-829"]
Alternative ID: GHSA-c942-mfmp-p4fh
Finding: F422
Auto approve: 1