CVE-2025-24981

CVSS 3.1 Score 9.3 of 10 (high)

Details

Published Feb 6, 2025

CWE ID 79

Summary

CVE-2025-24981 is a vulnerability affecting the Markdown to Vue component (MDC) tool. In affected versions, the tool's URL parsing logic in `props.ts` is unsafe and can lead to Arbitrary JavaScript Code Execution due to a bypass of the existing guards around the `javascript:` protocol scheme. An attacker can provide JavaScript URLs with HTML entities encoded via hex strings to bypass these security guards, resulting in XSS vulnerabilities in markdown parsing from unvalidated sources. This issue has been resolved in version 0.13.3 and all users are urged to upgrade. There are currently no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

M D C

Advisories, Assessments, and Mitigations

Back to Vulnerability Database