Platform
nodejs
Component
remark-html
Fixed in
14.0.1
13.0.3
13.0.2
CVE-2021-39199 is a critical Cross-Site Scripting (XSS) vulnerability affecting the remark-html Node.js package. This vulnerability allows attackers to inject arbitrary HTML, potentially leading to malicious script execution within a user's browser. The issue stems from a misconfiguration where the package was not safe by default, and the implementation did not match the documentation. Affected versions include those prior to 13.0.2 and 14.0.1; patching is available.
The impact of CVE-2021-39199 is significant due to the potential for arbitrary HTML injection. An attacker could inject malicious scripts into a website or application using remark-html, leading to various consequences. These include stealing user credentials, redirecting users to phishing sites, defacing the website, or even gaining control of the user's session. The ability to inject arbitrary HTML bypasses intended sanitization measures, making it a high-risk vulnerability. This vulnerability is particularly concerning as it was previously believed to be safe by default, leading to widespread, potentially unpatched deployments.
Public proof-of-concept exploits for CVE-2021-39199 are likely to emerge given the ease of exploitation and the critical severity. While no active exploitation campaigns have been publicly confirmed as of this writing, the vulnerability's simplicity and potential impact make it a prime target. The vulnerability was disclosed on September 7, 2021, and is not currently listed on CISA KEV.
Exploit Status
EPSS
0.33% (56% percentile)
CVSS Vector
The primary mitigation for CVE-2021-39199 is to upgrade to version 13.0.2 or 14.0.1 of the remark-html package. These versions address the vulnerability by making the package safe by default and aligning the implementation with the documentation. For users unable to immediately upgrade, a temporary workaround is to explicitly enable sanitization by passing the sanitize: true option to the remarkHtml function. This will prevent the injection of malicious HTML. After upgrading, confirm the fix by attempting to inject HTML payloads and verifying they are properly sanitized.
Update to version 13.0.2 or higher, or to version 14.0.1 or higher. If you cannot update, pass the `sanitize: true` option when using `remark-html` to enable user input sanitization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-39199 is a critical XSS vulnerability in the remark-html Node.js package, allowing arbitrary HTML injection due to a misconfigured default setting.
You are affected if you are using remark-html versions prior to 13.0.2 or 14.0.1 and have not implemented the workaround.
Upgrade to version 13.0.2 or 14.0.1. Alternatively, use the {sanitize: true} option in older versions.
While no confirmed active exploitation campaigns are public, the vulnerability's ease of exploitation makes it a potential target.
Refer to the package's release notes and documentation for details on the fix and mitigation strategies.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.