CVE-2024-21535: Cross site scripting in markdown-to-jsx

October 15, 2024

Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.

References

github.com/advisories/GHSA-4wx3-54gh-9fr9
github.com/quantizor/markdown-to-jsx
github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a
nvd.nist.gov/vuln/detail/CVE-2024-21535
security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886

Detect and mitigate CVE-2024-21535 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →