CVE-2025-66400
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2026-02-06
Generated
2026-05-07
AI Q&A
2025-12-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66400
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
syntax-tree mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
unifiedjs mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
mdast-util mdast-util-to-hast 13.2.1
mdast-util mdast-util-to-hast 13.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in mdast-util-to-hast versions from 13.0.0 to before 13.2.1 allows multiple unprefixed classnames to be added in markdown source by using character references. This means that user-supplied markdown code elements could be made to appear like the rest of the page, potentially misleading users about the origin or nature of the content. The issue was fixed in version 13.2.1.


How can this vulnerability impact me? :

The vulnerability could allow an attacker to manipulate the appearance of user-supplied markdown code elements so that they look like legitimate parts of the page. This could lead to confusion or deception, potentially enabling phishing or other social engineering attacks by making malicious content appear trustworthy or integrated with the rest of the page.


What immediate steps should I take to mitigate this vulnerability?

Update mdast-util-to-hast to version 13.2.1 or later, as this version contains the fix for the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart