Plattform
nodejs
Komponente
@nuxtjs/mdc
Behoben in
0.13.4
0.13.3
CVE-2025-24981 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in the @nuxtjs/mdc module. This flaw stems from an inadequate parsing of URLs within markdown content, enabling attackers to inject and execute arbitrary JavaScript code. The vulnerability impacts versions of @nuxtjs/mdc released before 0.13.3, and a patch has been released to address the issue.
The vulnerability allows an attacker to inject malicious JavaScript code into a website using @nuxtjs/mdc. This can occur when the module processes markdown content containing specially crafted URLs. The injected script can then execute in the context of the user's browser, potentially leading to session hijacking, defacement of the website, or theft of sensitive information. The bypass of existing security measures makes this vulnerability particularly concerning, as it circumvents intended protections against malicious URLs.
This vulnerability was publicly disclosed on 2025-02-06. No known active exploits have been reported at the time of writing. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation if left unaddressed. There are currently no KEV listings for this CVE. Public proof-of-concept code is likely to emerge given the ease of exploitation.
Web applications built with Nuxt.js that utilize the @nuxtjs/mdc module for markdown rendering are at risk. This includes projects that allow user-generated content within markdown files, as attackers could inject malicious URLs through these channels. Shared hosting environments using older versions of @nuxtjs/mdc are particularly vulnerable.
• nodejs / supply-chain:
npm list @nuxtjs/mdc• nodejs / supply-chain:
grep -r 'https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16' node_modules• generic web:
Inspect markdown content for URLs containing the javascript: protocol scheme. Monitor server logs for requests containing such URLs.
disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24981 is to upgrade to @nuxtjs/mdc version 0.13.3 or later. This version includes a fix that properly filters potentially malicious URLs. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied markdown content before it is processed by the module. Additionally, a Web Application Firewall (WAF) configured to block requests containing suspicious URL patterns could provide an additional layer of defense. Verify the upgrade by testing markdown content with URLs containing the javascript: protocol to ensure it is properly blocked.
Aktualisieren Sie das Modul @nuxtjs/mdc auf Version 0.13.3 oder höher. Diese Version enthält eine Korrektur für die XSS-Schwachstelle. Um zu aktualisieren, führen Sie `npm update @nuxtjs/mdc` oder `yarn upgrade @nuxtjs/mdc` in Ihrem Projekt aus.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24981 is a critical XSS vulnerability in the @nuxtjs/mdc module, allowing attackers to inject JavaScript code through improperly parsed URLs in markdown content.
You are affected if you are using @nuxtjs/mdc versions prior to 0.13.3 and process user-supplied markdown content.
Upgrade to @nuxtjs/mdc version 0.13.3 or later. Implement input validation and sanitization as a temporary workaround.
No active exploits have been reported, but the high CVSS score suggests a high likelihood of exploitation if unpatched.
Refer to the official @nuxtjs/mdc repository and associated release notes for the advisory and detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.