CVE-2016-10531 in marked
Summary
by MITRE
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/27/2025
The vulnerability identified as CVE-2016-10531 resides within the marked markdown parsing library version 0.3.5 and earlier, which is widely used for converting markdown text into HTML format. This issue specifically affects applications that rely on marked for processing user-generated content, creating a significant security risk when the library is configured with sanitize: true to prevent malicious content injection. The flaw exploits a fundamental parsing behavior that occurs when processing HTML entities within markdown input, creating a pathway for attackers to bypass intended security measures.
The technical root cause of this vulnerability stems from how marked handles HTML entity parsing, particularly the sequence &#xNNanything; where NN represents hexadecimal values. When the parser encounters such sequences, it processes the valid hexadecimal portion and subsequently retains the remainder of the entity, effectively stripping away the intended protection mechanism. This parsing behavior allows malicious actors to construct javascript: URLs that bypass the sanitize: true configuration, which should normally prevent the injection of executable JavaScript code. The vulnerability manifests because the library fails to properly validate and sanitize HTML entities before processing them, creating a scenario where the sanitization logic becomes ineffective against crafted inputs.
The operational impact of this vulnerability is substantial for applications using marked with content injection protection enabled, as it allows attackers to inject arbitrary JavaScript code through carefully crafted markdown input. This creates a potential vector for cross-site scripting attacks, where malicious users can execute code within the context of other users' browsers when they view the compromised content. The vulnerability affects any application that relies on marked's sanitize functionality to prevent script injection, including content management systems, comment systems, and any platform that processes markdown with user-provided input. The bypass occurs silently without alerting the application's security mechanisms, making it particularly dangerous for environments where user input is trusted but sanitized.
Mitigation strategies for this vulnerability require immediate action to upgrade to marked version 0.3.6 or later, which addresses the HTML entity parsing issue through improved sanitization logic. Organizations should also implement additional input validation layers beyond the library's built-in protections, including comprehensive content filtering and regular security audits of markdown processing components. The vulnerability aligns with CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and can be categorized under ATT&CK technique T1203: Exploitation for Client Execution, as it enables attackers to execute malicious scripts in user browsers. Security teams should also consider implementing runtime protections such as Content Security Policy headers and regular penetration testing to identify similar vulnerabilities in other markdown processing libraries or custom HTML sanitization functions that may exhibit similar parsing behaviors.