CVE-2025-66400: mdast-util-to-hast has unsanitized class attribute
Multiple (unprefixed) classnames could be added in markdown source by using character references.
This could make rendered user supplied markdown code elements appear like the rest of the page.
The following markdown:
```js xss
```
References
- github.com/advisories/GHSA-4fh9-h7wg-q85m
- github.com/syntax-tree/mdast-util-to-hast
- github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403
- github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7
- github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m
- nvd.nist.gov/vuln/detail/CVE-2025-66400
Code Behaviors & Features
Detect and mitigate CVE-2025-66400 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →