GHSA-g485-8j3v-p6x8: @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin

May 5, 2026

Anonymous GitHub fetches repository content (e.g., markdown files) from GitHub’s API and renders it without sanitization. On the client side, markdown is parsed with marked (with sanitize: false) and injected into the DOM via $sce.trustAsHtml() + ng-bind-html, bypassing AngularJS’s built-in XSS protection. An attacker can craft a malicious GitHub repository whose README executes arbitrary JavaScript in the Anonymous GitHub origin.

References

github.com/advisories/GHSA-g485-8j3v-p6x8
github.com/tdurieux/anonymous_github
github.com/tdurieux/anonymous_github/security/advisories/GHSA-g485-8j3v-p6x8

Code Behaviors & Features

Detect and mitigate GHSA-g485-8j3v-p6x8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →