CVE-2024-38354
📋 TL;DR
CVE-2024-38354 is a cross-site scripting (XSS) vulnerability in CodiMD/HackMD's notebook feature that allows attackers to inject malicious scripts via improperly sanitized iframe name attributes. This enables DOM clobbering attacks where attackers can hijack user sessions, steal credentials, or perform actions on behalf of users. All users of affected CodiMD/HackMD instances are potentially impacted.
💻 Affected Systems
- CodiMD
- HackMD
📦 What is this software?
Codimd by Hackmd
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the entire CodiMD instance, access all user notes, and pivot to internal network systems if the CodiMD server has internal network access.
Likely Case
Attackers steal user session cookies, impersonate users to view/edit private notes, and potentially inject malware into user browsers.
If Mitigated
With proper content security policies and input validation, the attack surface is reduced, but the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires the attacker to create or edit a note with malicious iframe content. The advisory includes technical details that make weaponization straightforward for skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.4
Vendor Advisory: https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9
Restart Required: Yes
Instructions:
1. Backup your CodiMD instance and database. 2. Update to version 2.5.4 using your package manager or by downloading from GitHub. 3. Restart the CodiMD service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable iframe rendering
allTemporarily disable iframe HTML tag rendering in CodiMD configuration to prevent exploitation
Modify config.json to set "allowIframe": false in the markdown section
Implement Content Security Policy
allAdd strict CSP headers to limit script execution
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict note creation/editing to trusted users only
- Implement web application firewall rules to block suspicious iframe attributes
🔍 How to Verify
Check if Vulnerable:
Check if your CodiMD version is below 2.5.4 and test if iframe name attributes are properly sanitizedCheck Version:
npm list codimd or check package.json versionVerify Fix Applied:
After updating to 2.5.4, verify that malicious iframe name attributes no longer execute scripts📡 Detection & Monitoring
Log Indicators:
- Unusual iframe tags in note edit logs
- Multiple failed script execution attempts
Network Indicators:
- Suspicious iframe attributes in HTTP requests
- Unexpected external resource loads
SIEM Query:
source="codimd" AND ("iframe" OR "name=" OR "javascript:")