CVE-2025-66400
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66400, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-01

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-01
Last Modified
2026-02-06
Generated
2026-07-06
AI Q&A
2025-12-02
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
syntax-tree mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
unifiedjs mdast-util-to-hast From 13.0.0 (inc) to 13.2.1 (inc)
mdast-util mdast-util-to-hast 13.2.1
mdast-util mdast-util-to-hast 13.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in mdast-util-to-hast versions from 13.0.0 to before 13.2.1 allows multiple unprefixed classnames to be added in markdown source by using character references. This means that user-supplied markdown code elements could be made to appear like the rest of the page, potentially misleading users about the origin or nature of the content. The issue was fixed in version 13.2.1.

Impact Analysis

The vulnerability could allow an attacker to manipulate the appearance of user-supplied markdown code elements so that they look like legitimate parts of the page. This could lead to confusion or deception, potentially enabling phishing or other social engineering attacks by making malicious content appear trustworthy or integrated with the rest of the page.

Mitigation Strategies

Update mdast-util-to-hast to version 13.2.1 or later, as this version contains the fix for the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart