Vulnerability Details : CVE-2021-39199
remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-39199
- cpe:2.3:a:remark:remark-html:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:remark:remark-html:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39199
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39199
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
3.9
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2021-39199
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-39199
-
https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1
Fix to sanitize by default · remarkjs/remark-html@b75c9dd · GitHubPatch;Third Party Advisory
-
https://github.com/remarkjs/remark-html/releases/tag/14.0.1
Release 14.0.1 · remarkjs/remark-html · GitHubPatch;Release Notes;Third Party Advisory
-
https://www.npmjs.com/package/remark-html
remark-html - npmProduct;Third Party Advisory
-
https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m
Unsafe defaults in `remark-html` · Advisory · remarkjs/remark-html · GitHubPatch;Third Party Advisory
Jump to