CVE-2020-28455
📋 TL;DR
CVE-2020-28455 is a cross-site scripting (XSS) vulnerability in the markdown-it-toc npm package. It allows attackers to inject malicious scripts into table of contents headers that aren't properly escaped. This affects all websites and applications using any version of markdown-it-toc to generate markdown content.
💻 Affected Systems
- markdown-it-toc
📦 What is this software?
Markdown It Toc by Markdown It Toc Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Reflected XSS attacks where attackers craft malicious markdown content that gets processed by vulnerable systems, leading to script execution in victims' browsers.
If Mitigated
With proper content security policies (CSP) and input validation, impact is limited to script execution within the context of the affected page only.
🎯 Exploit Status
Exploitation requires the ability to inject markdown content that gets processed by the vulnerable package. Public proof-of-concept examples demonstrate simple XSS payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.0 and later
Vendor Advisory: https://github.com/nagaozen/markdown-it-toc/security/advisories/GHSA-5jq9-6j8w-2wvq
Restart Required: No
Instructions:
1. Update package.json to use markdown-it-toc version 1.1.0 or higher. 2. Run 'npm update markdown-it-toc' or 'yarn upgrade markdown-it-toc'. 3. Test that table of contents generation still works correctly.
🔧 Temporary Workarounds
Input Sanitization
allImplement server-side sanitization of all markdown content before processing with markdown-it-toc
Content Security Policy
allImplement strict Content-Security-Policy headers to mitigate XSS impact
🧯 If You Can't Patch
- Disable markdown-it-toc functionality entirely if not essential
- Implement output encoding for all table of contents headers in your application code
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for markdown-it-toc version below 1.1.0Check Version:
npm list markdown-it-toc | grep markdown-it-tocVerify Fix Applied:
Verify installed version is 1.1.0 or higher using 'npm list markdown-it-toc'📡 Detection & Monitoring
Log Indicators:
- Unusual markdown content patterns with script tags or JavaScript in headers
Network Indicators:
- Requests containing suspicious markdown payloads with script elements
SIEM Query:
web_logs WHERE url_contains('markdown') AND (body_contains('<script>') OR body_contains('javascript:'))