N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66400

GHSA ID

GHSA-4fh9-h7wg-q85m

EPSS Score

CWE

CWE-20

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66400

CVE-2025-66400: mdast-util-to-hast has unsanitized class attribute

Impact

Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown:

```js&#x20;xss
```

Would create <pre><code class="language-js xss"></code></pre> If your page then applied .xss classes (or listeners in JS), those apply to this element. For more info see https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute

Patches

The bug was patched. When using regular semver, run npm install. For exact ranges, make sure to use 13.2.1.

Workarounds

Update.

References

bug introduced in https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403
bug fixed in https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66400

CVE-2025-66400:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66400

GHSA ID

GHSA-4fh9-h7wg-q85m

EPSS Score

CWE

CWE-20

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mdast-util-to-hast	npm	>= 13.0.0, < 13.2.1	13.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches clearly indicates that the vulnerability lies within the code function in the lib/handlers/code.js file. The commit that introduced the bug (6fc783ae) removed the logic that sanitized the node.lang property, instead using the raw value to construct the className. The fixing commit (ab3a7957) re-introduced sanitization by splitting the node.lang string by whitespace and only using the first resulting token. This prevents the injection of additional class names through character-encoded spaces. Therefore, the code function is the precise location of the vulnerability, as it is responsible for processing the user-controlled lang attribute and generating the vulnerable HTML.

Vulnerable functions

code

lib/handlers/code.js

The vulnerability was introduced in commit 6fc783ae, where the `code` function was changed to use the raw `node.lang` property to construct the `className`. This allowed character-encoded whitespace to be interpreted by browsers, leading to the creation of multiple classes on the `<code>` element. The vulnerable code was `- properties.className = ['language-' + node.lang]`. An attacker could provide a language string like `js xss`, which would result in `<code class="language-js xss">`, allowing them to apply arbitrary CSS classes.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66400: mdast-util-to-hast has unsanitized class attribute

Impact

Patches

Workarounds

References

CVE-2025-66400:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-66400: mdast-util-to-hast has unsanitized class attribute

Impact

Patches

Workarounds

References

Basic Information

Basic Information

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI