CVE-2025-66400
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66400
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
syntax-tree mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
unifiedjs mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
mdast-util mdast-util-to-hast 13.2.1
mdast-util mdast-util-to-hast 13.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in mdast-util-to-hast versions from 13.0.0 to before 13.2.1 allows multiple unprefixed classnames to be added in markdown source by using character references. This means that user-supplied markdown code elements could be made to appear like the rest of the page, potentially misleading users about the origin or nature of the content. The issue was fixed in version 13.2.1.

Impact Analysis

The vulnerability could allow an attacker to manipulate the appearance of user-supplied markdown code elements so that they look like legitimate parts of the page. This could lead to confusion or deception, potentially enabling phishing or other social engineering attacks by making malicious content appear trustworthy or integrated with the rest of the page.

Mitigation Strategies

Update mdast-util-to-hast to version 13.2.1 or later, as this version contains the fix for the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart