CVE-2025-54075 in mdc
Summary
by MITRE • 07/18/2025
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Prior to version 0.17.2, a remote script-inclusion / stored cross-site scripting vulnerability in @nuxtjs/mdc lets a Markdown author inject a `` element. The `` tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context. Version 0.17.2 contains a fix for the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/23/2025
The vulnerability identified as CVE-2025-54075 affects the @nuxtjs/mdc package, which serves as a tool for generating Markdown documents that interact with Vue components. This package enables developers to create dynamic content by processing markdown text and rendering it through Vue.js components, making it a critical element in modern web application development workflows. The flaw exists in versions prior to 0.17.2, where the package fails to properly sanitize user-provided markdown content, creating a path for malicious actors to inject harmful script tags into the generated output. The vulnerability specifically exploits the handling of markdown elements within the Vue component rendering process, allowing attackers to manipulate how relative URLs are resolved within the document context.
The technical exploitation of this vulnerability occurs through the injection of HTML script tags within markdown content that gets processed by the @nuxtjs/mdc package. When an attacker crafts malicious markdown that includes a script element, the package's insufficient sanitization allows this element to persist in the final rendered output. The critical aspect of this flaw is that the script tag fundamentally alters how relative URLs are resolved within the page context, effectively enabling attackers to redirect resource loading to external domains they control. This URL resolution manipulation allows the injected scripts to load additional malicious resources such as JavaScript files, CSS stylesheets, or images from attacker-controlled origins, creating a full chain of cross-site scripting execution. The vulnerability operates at the core of how the package handles markdown processing and Vue component integration, making it particularly dangerous as it can be exploited through legitimate content authoring workflows.
The operational impact of this vulnerability extends beyond simple XSS attacks, as it provides attackers with complete control over the victim's browser session within the context of the affected website. This capability allows for session hijacking, data exfiltration, and the execution of arbitrary commands on behalf of authenticated users. The vulnerability affects any website or application that utilizes @nuxtjs/mdc for content generation and rendering, particularly those that allow user-generated content or markdown editing capabilities. Attackers can leverage this flaw to steal sensitive information, perform actions as authenticated users, or redirect traffic to malicious domains, making it a significant threat to web application security. The vulnerability's persistence in the system means that even after initial exploitation, attackers can maintain access and continue to leverage the compromised functionality for extended periods.
Mitigation strategies for CVE-2025-54075 require immediate implementation of version 0.17.2 or later, which contains the necessary fixes to prevent script tag injection and URL resolution manipulation. Organizations should conduct comprehensive audits of all systems utilizing @nuxtjs/mdc to identify potential exposure and ensure proper patching protocols are followed. Additional defensive measures include implementing strict input validation and sanitization for all markdown content, employing content security policies to restrict external resource loading, and monitoring for unauthorized script injection attempts. The vulnerability aligns with CWE-79 which addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious content injection. Security teams should also consider implementing automated scanning tools to detect similar vulnerabilities in other markdown processing libraries and ensure that all dependencies are regularly updated to prevent exploitation of known security flaws.