CVE-2025-54075
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuxtjs | mdc | 0.17.0 |
| nuxtjs | mdc | 0.17.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in the @nuxtjs/mdc package used to render Markdown content in Nuxt projects. It allows a Markdown author to inject a <base> HTML tag with a malicious href attribute pointing to an attacker-controlled domain. The <base> tag changes how all relative URLs on the page are resolved, causing scripts, styles, or images to be loaded from the attacker's domain. This enables the attacker to execute arbitrary JavaScript in the context of the vulnerable site. [2]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to full visitor session takeover, credential theft, website defacement, phishing attacks, cross-site request forgery (CSRF), and other malicious actions by executing attacker-controlled scripts within the vulnerable site's context. It affects any Nuxt project using @nuxtjs/mdc to render user-controlled Markdown, such as blogs, CMSs, documentation, or comments. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting rendered Markdown content for the presence of a <base> tag with an external href attribute, such as <base href="https://attacker.tld">. On the system or network, you can search for such tags in the HTML output or logs. For example, you can use commands like `grep -r '<base href=' /path/to/rendered/html` to find occurrences of the <base> tag. Additionally, monitoring HTTP responses for injected <base> tags or unusual external resource loading can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the @nuxtjs/mdc package to version 0.17.2 or later, which contains a fix that sanitizes dangerous tags like <base>. If upgrading is not immediately possible, disable raw HTML rendering in Markdown or use an external sanitizer such as DOMPurify configured to forbid the <base> tag (e.g., FORBID_TAGS: ['base']). Additionally, disallow or sanitize <base> tags in the Markdown renderer or restrict the <base> tag's href attribute to same-origin URLs to prevent loading resources from attacker-controlled domains. [1, 2]