Miggo Logo
Miggo Vulnerability Database
CVE-2022-41709

CVE-2022-41709:
Markdownify subject to Remote Code Execution via malicious markdown file

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41709
GHSA ID
GHSA-c942-mfmp-p4fh
EPSS Score
0.11061%
CWE
-
Published
10/19/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
electron-markdownifynpm<= 1.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from enabling nodeIntegration in Electron's BrowserWindow configuration. This setting allows the renderer process to access Node.js APIs, which when combined with untrusted content rendering (markdown files), enables RCE through constructs like require('child_process').exec(). The main.js file is Electron's main process entry point where window configuration typically occurs. While no specific function names are provided in available sources, the BrowserWindow instantiation with insecure settings is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*rk*owni*y v*rsion *.*.* *llows *n *xt*rn*l *tt**k*r to *x**ut* *r*itr*ry *o** r*mot*ly on *ny *li*nt *tt*mptin* to vi*w * m*li*ious m*rk*own *il* t*rou** M*rk*owni*y. T*is is possi*l* ****us* t** *ppli**tion **s t** "no**Int**r*tion" option *n**l**

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom *n**lin* `no**Int**r*tion` in *l**tron's `*rows*rWin*ow` *on*i*ur*tion. T*is s*ttin* *llows t** r*n**r*r `pro**ss` to ****ss `No**.js` *PIs, w*i** w**n *om*in** wit* untrust** *ont*nt r*n**rin* (m*rk*own *il*s),