CVE-2022-40011 – Typora markdown editor versions through 1.3.8 c... (How to Fix)

Q: What is the severity of CVE-2022-40011?

CVE-2022-40011 has a CVSS score of 6.1 (MEDIUM). Typora markdown editor versions through 1.3.8 contain a cross-site scripting (XSS) vulnerability when exporting documents containing malicious SVG elements. Attackers can craft documents that execute arbitrary JavaScript in the victim's browser context when exported and viewed. This affects all Typora users who open untrusted documents and export them.

📋 TL;DR

Typora markdown editor versions through 1.3.8 contain a cross-site scripting (XSS) vulnerability when exporting documents containing malicious SVG elements. Attackers can craft documents that execute arbitrary JavaScript in the victim's browser context when exported and viewed. This affects all Typora users who open untrusted documents and export them.

💻 Affected Systems

Products:

Typora

Versions: All versions through 1.3.8

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires user to export a document containing malicious SVG, then open the exported file. The vulnerability exists in the export functionality.

📦 What is this software?

Typora by Typora

View all CVEs affecting Typora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of user's browser session, allowing theft of authentication cookies, session hijacking, and execution of arbitrary actions within the user's Typora environment.

🟠

Likely Case

Limited data theft from the user's browser session, potential for credential harvesting if user is logged into web services while viewing the document.

🟢

If Mitigated

No impact if users only open trusted documents or have disabled JavaScript execution in their browser.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious document, but exploitation can occur without network connectivity once document is loaded.

🏢 Internal Only: MEDIUM - Same exploitation requirements, but internal users may be more likely to open documents from trusted sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in public GitHub gist. Exploitation requires social engineering to get victim to open malicious document.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0 and later

Vendor Advisory: https://typora.io/releases/all

Restart Required: Yes

Instructions:

1. Open Typora. 2. Go to Help > Check for Updates. 3. Download and install version 1.4.0 or later. 4. Restart Typora.

🔧 Temporary Workarounds

Disable SVG rendering

all

Prevent Typora from rendering SVG elements which could contain malicious payloads

Not applicable - configuration setting

Use sandboxed environment

all

Run Typora in a sandboxed or isolated environment to limit impact of potential XSS

🧯 If You Can't Patch

Only open documents from trusted sources and avoid exporting untrusted documents
Use browser extensions that block JavaScript execution in local HTML files

🔍 How to Verify

Check if Vulnerable:

Check Typora version in Help > About. If version is 1.3.8 or earlier, system is vulnerable.

Check Version:

On Typora: Help > About. On command line: typora --version (if installed via package manager)

Verify Fix Applied:

Verify Typora version is 1.4.0 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Unusual document export activity
Multiple failed export attempts

Network Indicators:

Outbound connections from Typora to unexpected domains after document export

SIEM Query:

process.name:"Typora.exe" AND event.action:"export" AND file.extension:"html" OR file.extension:"pdf"

📊 Metadata

CVE ID: CVE-2022-40011

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 23, 2022

Last Updated: February 23, 2026

🔗 References

https://gist.github.com/wangking1/61bdd1967367301a950ffbb3d10386f3 Third Party Advisory,Exploit
https://typora.io/releases/all Release Notes
http://typora.com Not Applicable
http://wwwtyporaio.com Broken Link
https://gist.github.com/wangking1/61bdd1967367301a950ffbb3d10386f3 Third Party Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-40011, you might also want to check these: