Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency @nuxtjs/mdc to v0.13.3 [security] - autoclosed #459

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 6, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@nuxtjs/mdc 0.13.2 -> 0.13.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-24981

Summary

An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL.

Details

The parsing logic implement at https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16 maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like javascript: and others.

Specifically, this is the code from the mdc library's parser that is not secure enough:

export const unsafeLinkPrefix = [
  'javascript:',
  'data:text/html',
  'vbscript:',
  'data:text/javascript',
  'data:text/vbscript',
  'data:text/css',
  'data:text/plain',
  'data:text/xml'
]

export const validateProp = (attribute: string, value: string) => {
  if (attribute.startsWith('on')) {
    return false
  }

  if (attribute === 'href' || attribute === 'src') {
    return !unsafeLinkPrefix.some(prefix => value.toLowerCase().startsWith(prefix))
  }

  return true
}

These security guards can be bypassed by an adversarial that provides JavaScript URLs with HTML entities encoded via hex string.

PoC

The following URL payloads if provided to the markdown parsing library (such as through the usage of import { parseMarkdown } from '@​nuxtjs/mdc/runtime';) will trigger the alert() dialog:

# ✅ This is correctly escaped by the parser

- XSS Attempt:

<a href="javascript:alert(1)"> this gets sanitizied, yay!</a>

# ❌ These are vulnerable and not escaped

- Bypass 1:

<a href="jav&#x09;ascript:alert('XSS');">Click Me 1</a>

- Bypass 2:

<a href="jav&#x0A;ascript:alert('XSS');">Click Me 2</a>

- Bypass 3:

<a href="jav&#&#8203;10;ascript:alert('XSS');">Click Me 3</a>

Impact

Users who consume this library and perform markdown parsing from unvalidated sources such as LLM generative text responses, user input and other untrusted sources could result in rendering vulnerable XSS anchor links.

Reference

You may infer the following write-up for more in-depth walkthrough of URL parsing problems and suggestions on how to securely address them: How to Parse URLs from Markdown to HTML Securely?


Release Notes

nuxt-modules/mdc (@​nuxtjs/mdc)

v0.13.3

Compare Source

compare changes


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

cloudflare-workers-and-pages bot commented Feb 6, 2025

Deploying playground with  Cloudflare Pages  Cloudflare Pages

Latest commit: f1f0b98
Status: ✅  Deploy successful!
Preview URL: https://4d3383e9.playground-bhb.pages.dev
Branch Preview URL: https://renovate-npm-nuxtjs-mdc-vuln.playground-bhb.pages.dev

View logs

Copy link

pkg-pr-new bot commented Feb 6, 2025

Open in Stackblitz

npm i https://pkg.pr.new/nuxt-hub/core/@nuxthub/core@459

commit: f1f0b98

@renovate renovate bot changed the title chore(deps): update dependency @nuxtjs/mdc to v0.13.3 [security] chore(deps): update dependency @nuxtjs/mdc to v0.13.3 [security] - autoclosed Feb 7, 2025
@renovate renovate bot closed this Feb 7, 2025
@renovate renovate bot deleted the renovate/npm-nuxtjs-mdc-vulnerability branch February 7, 2025 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants