CVE-2021-39199
Unsafe defaults in `remark-html`
Description
### Impact The documentation of `remark-html` has mentioned that it was safe by default. In practise the default was never safe and had to be opted into. This means arbitrary HTML can be passed through leading to potential XSS attacks. ### Patches The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. ### Workarounds On older affected versions, pass `sanitize: true`, like so: ```diff - .use(remarkHtml) + .use(remarkHtml, {sanitize: true}) ``` ### References n/a ### For more information If you have any questions or comments about this advisory: * Open an issue in [`remark-html`](https://github.com/remarkjs/remark-html) * Email us at [[email protected]](mailto:[email protected])
How to fix CVE-2021-39199
To remediate CVE-2021-39199, upgrade the affected package to a fixed version below.
- —upgrade to 13.0.2 or later
Is CVE-2021-39199 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 13.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |