6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10531

GHSA ID

GHSA-vfvf-mqq8-rwqc

EPSS Score

0.52016%

CWE

CWE-79

Published

2/18/2019

Updated

9/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10531

CVE-2016-10531: Sanitization bypass using HTML Entities in marked

Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured.

Proof of Concept

This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.

For example:

A link URI such as

javascript&#x58document;alert&#40;1&#41;

Renders a valid link that when clicked will execute alert(1).

Recommendation

Update to version 0.3.6 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10531

GHSA ID

GHSA-vfvf-mqq8-rwqc

EPSS Score

0.52016%

CWE

CWE-79

Published

2/18/2019

Updated

9/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
marked	npm	< 0.3.6	0.3.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how marked's unescape function processed HTML entities in link URIs. The original regex matched entities on a best-effort basis, failing to properly validate semicolon termination and entity syntax. This allowed attackers to craft URIs where HTML entities decode to 'javascript:' after sanitization checks, but before final rendering. The commit 2cff859 explicitly tightens the entity regex pattern to prevent this bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `m*rk**` *r* sus**pti*l* to * *ross-sit* s*riptin* vuln*r**ility in link *ompon*nts w**n `s*nitiz*:tru*` is *on*i*ur**. ## Proo* o* *on**pt T*is *l*w *xists ****us* link URIs *ont*inin* *TML *ntiti*s **t pro**ss** in *n **norm

Reasoning

T** vuln*r**ility st*ms *rom *ow m*rk**'s un*s**p* `*un*tion` pro**ss** *TML *ntiti*s in link URIs. T** ori*in*l `r***x` m*t**** *ntiti*s on * **st-***ort **sis, **ilin* to prop*rly `v*li**t*` s*mi*olon t*rmin*tion *n* *ntity synt*x. T*is *llow** *tt

6.1

Basic Information

Concerned about an active attack path?

CVE-2016-10531: Sanitization bypass using HTML Entities in marked

Proof of Concept

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI