CVE-2021-39199

Cross site scripting via unsafe defaults in remark-html

Description

remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.

References

Link	Tags
https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m	third party advisory patch
https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1	third party advisory patch
https://github.com/remarkjs/remark-html/releases/tag/14.0.1	patch third party advisory release notes
https://www.npmjs.com/package/remark-html	product third party advisory

Frequently Asked Questions

What is the severity of CVE-2021-39199?: CVE-2021-39199 has been scored as a critical severity vulnerability.
How to fix CVE-2021-39199?: To fix CVE-2021-39199, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-39199 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-39199 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-39199?: CVE-2021-39199 affects remarkjs remark-html.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions