Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vfvf-mqq8-rwqc

GitHub Security Advisory

Sanitization bypass using HTML Entities in marked

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Affected versions of `marked` are susceptible to a cross-site scripting vulnerability in link components when `sanitize:true` is configured.

## Proof of Concept

This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.

For example:

A link URI such as
```
javascript&#x58document;alert(1)
```
Renders a valid link that when clicked will execute `alert(1)`.

## Recommendation

Update to version 0.3.6 or later.

Affected Packages

npm marked
Affected versions: 0 (fixed in 0.3.6)

Related CVEs

CVE-2016-10531

Key Information

GHSA ID
GHSA-vfvf-mqq8-rwqc
Published
February 18, 2019 11:58 PM
Last Modified
September 7, 2023 10:23 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
marked
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.