CVE-2020-7773 in markdown-it-highlightjs
Summary
by MITRE • 11/16/2020
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/07/2020
The vulnerability CVE-2020-7773 represents a critical cross-site scripting vulnerability in the markdown-it-highlightjs package version 3.3.0 and earlier. This issue arises from improper input validation within the inline code highlighting feature, where the lang parameter fails to adequately sanitize user-supplied values before rendering them in the output HTML. The vulnerability specifically affects the inline highlighting functionality that allows developers to specify programming languages for code blocks, creating a potential attack vector through malicious JavaScript injection.
The technical flaw stems from the package's handling of the lang attribute in inline code blocks, where arbitrary JavaScript code can be injected through the language specification parameter. When a user provides a lang value containing malicious script tags or JavaScript code, the highlighter processes this input without sufficient sanitization, leading to the execution of unintended code during HTML rendering. The vulnerability is particularly dangerous because it leverages the legitimate inline highlighting feature to deliver malicious payloads, making it difficult to distinguish between legitimate and malicious code blocks.
This vulnerability has significant operational impact as it allows attackers to execute arbitrary JavaScript code in contexts where markdown-it-highlightjs is used. The attack surface includes web applications that process user-generated content, such as comment systems, documentation platforms, or content management systems that utilize markdown rendering with syntax highlighting. The vulnerability can be exploited to perform session hijacking, data exfiltration, or redirect users to malicious websites, effectively compromising the security of applications that rely on this package.
The vulnerability aligns with CWE-79 Cross-Site Scripting and follows patterns identified in the ATT&CK framework under T1203 Exploitation for Client Execution. Organizations using this package are at risk of having their applications compromised through user input manipulation, particularly in environments where untrusted content is rendered without proper sanitization. The attack requires minimal effort from threat actors since it exploits a legitimate feature rather than attempting to bypass security controls. Mitigation strategies include upgrading to version 3.3.1 or later, implementing comprehensive input validation, and using content security policies to limit script execution in rendered content. Additionally, organizations should conduct security reviews of all third-party dependencies and implement automated vulnerability scanning to identify similar issues in their software supply chain.