CRITICALCVE-2025-24981CVSS 9.3

CVE-2025-24981: XSS in @nuxtjs/mdc

Q: What is CVE-2025-24981 — XSS in @nuxtjs/mdc?

CVE-2025-24981 is a critical XSS vulnerability in the @nuxtjs/mdc module, allowing attackers to inject JavaScript code through improperly parsed URLs in markdown content.

Q: Am I affected by CVE-2025-24981 in @nuxtjs/mdc?

You are affected if you are using @nuxtjs/mdc versions prior to 0.13.3 and process user-supplied markdown content.

Q: How do I fix CVE-2025-24981 in @nuxtjs/mdc?

Upgrade to @nuxtjs/mdc version 0.13.3 or later. Implement input validation and sanitization as a temporary workaround.

Q: Is CVE-2025-24981 being actively exploited?

No active exploits have been reported, but the high CVSS score suggests a high likelihood of exploitation if unpatched.

Q: Where can I find the official @nuxtjs/mdc advisory for CVE-2025-24981?

Refer to the official @nuxtjs/mdc repository and associated release notes for the advisory and detailed information.

Platform

nodejs

Component

@nuxtjs/mdc

Fixed in

0.13.4

0.13.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-24981 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in the @nuxtjs/mdc module. This flaw stems from an inadequate parsing of URLs within markdown content, enabling attackers to inject and execute arbitrary JavaScript code. The vulnerability impacts versions of @nuxtjs/mdc released before 0.13.3, and a patch has been released to address the issue.

Impact and Attack Scenarios

The vulnerability allows an attacker to inject malicious JavaScript code into a website using @nuxtjs/mdc. This can occur when the module processes markdown content containing specially crafted URLs. The injected script can then execute in the context of the user's browser, potentially leading to session hijacking, defacement of the website, or theft of sensitive information. The bypass of existing security measures makes this vulnerability particularly concerning, as it circumvents intended protections against malicious URLs.

Exploitation Context

This vulnerability was publicly disclosed on 2025-02-06. No known active exploits have been reported at the time of writing. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation if left unaddressed. There are currently no KEV listings for this CVE. Public proof-of-concept code is likely to emerge given the ease of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Component@nuxtjs/mdc

Vendorosv

Affected rangeFixed in

< 0.13.3 – < 0.13.30.13.4

—0.13.3

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2025-01-29
Published2025-02-06
Modified2025-02-13
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2025-24981 is to upgrade to @nuxtjs/mdc version 0.13.3 or later. This version includes a fix that properly filters potentially malicious URLs. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied markdown content before it is processed by the module. Additionally, a Web Application Firewall (WAF) configured to block requests containing suspicious URL patterns could provide an additional layer of defense. Verify the upgrade by testing markdown content with URLs containing the javascript: protocol to ensure it is properly blocked.

How to fix

Update the @nuxtjs/mdc module to version 0.13.3 or higher. This version contains a fix for the XSS vulnerability. To update, run `npm update @nuxtjs/mdc` or `yarn upgrade @nuxtjs/mdc` in your project.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-24981 — XSS in @nuxtjs/mdc?