CVE-2021-39199 – remark-html

Package

Manager: npm
Name: remark-html
Vulnerable Version: >=0 <13.0.2 || =14.0.0 || >=14.0.0 <14.0.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00329 pctl0.55158

Details

Unsafe defaults in `remark-html` ### Impact The documentation of `remark-html` has mentioned that it was safe by default. In practise the default was never safe and had to be opted into. This means arbitrary HTML can be passed through leading to potential XSS attacks. ### Patches The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. ### Workarounds On older affected versions, pass `sanitize: true`, like so: ```diff - .use(remarkHtml) + .use(remarkHtml, {sanitize: true}) ``` ### References n/a ### For more information If you have any questions or comments about this advisory: * Open an issue in [`remark-html`](https://github.com/remarkjs/remark-html) * Email us at [security@unifiedjs.com](mailto:security@unifiedjs.com)

Metadata

Created: 2021-09-07T23:10:56Z
Modified: 2021-09-07T19:05:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9q5w-79cv-947m/GHSA-9q5w-79cv-947m.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9q5w-79cv-947m
Finding: F008
Auto approve: 1