high severity
npm

Content & Code Injection (XSS)

Affected package Vulnerable versions Latest version Snyk patch
marked <0.3.6 0.3.6 Available

Overview

marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject javascript: code snippets into the output. For example, the following input javascript&#x58document;alert&#40;1&#41; will result in alert(1) being executed when the user clicks on the link.

Remediation

Upgrade marked to version 0.3.6 or higher. Also, you can patch the vulnerability using Snyk wizard. Alternatively you can use remarkable or other markdown libraries.

References

Snyk patch

Available for versions: