CVE-2016-10531: Sanitization bypass using HTML Entities in marked
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52016%
CWE
Published
2/18/2019
Updated
9/7/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
marked | npm | < 0.3.6 | 0.3.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how marked's unescape function
processed HTML entities in link URIs. The original regex
matched entities on a best-effort basis, failing to properly validate
semicolon termination and entity syntax. This allowed attackers to craft URIs where HTML entities decode to 'javascript:' after sanitization checks, but before final rendering. The commit 2cff859
explicitly tightens the entity regex
pattern to prevent this bypass.