Login Sign Up

CVE-2024-7739

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in the yzane vscode-markdown-pdf extension allows cross-site scripting (XSS) attacks when processing malicious markdown files. Attackers can inject and execute arbitrary JavaScript code in the context of the victim's browser. Users of the Visual Studio Code markdown-pdf extension version 1.5.0 are affected.

💻 Affected Systems

Products:
  • yzane vscode-markdown-pdf
Versions: 1.5.0
Operating Systems: All platforms running Visual Studio Code
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed and use the markdown-pdf extension in Visual Studio Code.

📦 What is this software?

Markdown Pdf by Yzane

View all CVEs affecting Markdown Pdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user session, credential theft, or installation of malware through malicious JavaScript execution in the victim's browser context.

🟠

Likely Case

Session hijacking, cookie theft, or defacement of generated PDF content through injected scripts.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, potentially only affecting PDF rendering quality.

🌐 Internet-Facing: MEDIUM - Attack requires user to open malicious markdown file, but exploitation can be remote via file sharing or downloads.
🏢 Internal Only: MEDIUM - Internal users could be targeted through shared documents or collaboration tools.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept video and documentation are publicly available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Remove or disable the extension until a fix is released.

🔧 Temporary Workarounds

Disable or Remove Extension

all

Uninstall the vulnerable markdown-pdf extension from Visual Studio Code

code --uninstall-extension yzane.markdown-pdf

Use Alternative PDF Export

all

Use alternative markdown to PDF conversion tools instead of the vulnerable extension

🧯 If You Can't Patch

  • Restrict opening untrusted markdown files in Visual Studio Code
  • Implement strict content security policies in browser when viewing generated PDFs

🔍 How to Verify

Check if Vulnerable:

Check Visual Studio Code extensions list for 'markdown-pdf' by yzane version 1.5.0

Check Version:

code --list-extensions --show-versions | grep markdown-pdf

Verify Fix Applied:

Verify extension is removed or disabled in Visual Studio Code extensions panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution in PDF generation processes
  • Suspicious markdown file processing

Network Indicators:

  • External script loading in generated PDF files
  • Unexpected outbound connections from PDF viewer

SIEM Query:

process_name:"code" AND cmdline:"markdown-pdf" AND file_path:"*.md"

📊 Metadata

CVE ID: CVE-2024-7739
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
Published: August 13, 2024
Last Updated: September 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7739, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)