9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24981

GHSA ID

GHSA-j82m-pc2v-2484

EPSS Score

0.52747%

CWE

CWE-79

Published

2/6/2025

Updated

2/6/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24981

CVE-2025-24981: Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

Summary

An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL.

Details

The parsing logic implement at https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16 maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like javascript: and others.

Specifically, this is the code from the mdc library's parser that is not secure enough:

export const unsafeLinkPrefix = [
  'javascript:',
  'data:text/html',
  'vbscript:',
  'data:text/javascript',
  'data:text/vbscript',
  'data:text/css',
  'data:text/plain',
  'data:text/xml'
]

export const validateProp = (attribute: string, value: string) => {
  if (attribute.startsWith('on')) {
    return false
  }

  if (attribute === 'href' || attribute === 'src') {
    return !unsafeLinkPrefix.some(prefix => value.toLowerCase().startsWith(prefix))
  }

  return true
}

These security guards can be bypassed by an adversarial that provides JavaScript URLs with HTML entities encoded via hex string.

PoC

The following URL payloads if provided to the markdown parsing library (such as through the usage of import { parseMarkdown } from '@nuxtjs/mdc/runtime';) will trigger the alert() dialog:

# ✅ This is correctly escaped by the parser

- XSS Attempt:

<a href="javascript:alert(1)"> this gets sanitizied, yay!</a>

# ❌ These are vulnerable and not escaped

- Bypass 1:

<a href="jav&#x09;ascript:alert('XSS');">Click Me 1</a>

- Bypass 2:

<a href="jav&#x0A;ascript:alert('XSS');">Click Me 2</a>

- Bypass 3:

<a href="jav&#10;ascript:alert('XSS');">Click Me 3</a>

Impact

Users who consume this library and perform markdown parsing from unvalidated sources such as LLM generative text responses, user input and other untrusted sources could result in rendering vulnerable XSS anchor links.

Miggo Vulnerability Database

→

CVE-2025-24981

CVE-2025-24981:

9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24981

GHSA ID

GHSA-j82m-pc2v-2484

EPSS Score

0.52747%

CWE

CWE-79

Published

2/6/2025

Updated

2/6/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@nuxtjs/mdc	npm	<= 0.13.2	0.13.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from validateProp's insecure implementation of URL validation. The function checked if href/src values started with dangerous protocols (javascript: etc.) using value.toLowerCase().startsWith(prefix) on the raw input. This failed to account for HTML entity encoding in the URL (e.g., jav ascript:), which would decode to a valid javascript: protocol after HTML parsing. The patch introduced a new isAnchorLinkAllowed function that properly decodes and sanitizes the URL before validation, confirming the weakness was in validateProp's original implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-24981: Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

Summary

Details

PoC

Impact

CVE-2025-24981:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

9.3

9.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-24981: Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

Summary

Details

PoC

Impact

Reference

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI