CVE-2025-7969 – This XSS vulnerability in markdown-it allows at... (How to Fix)

📋 TL;DR

This XSS vulnerability in markdown-it allows attackers to inject malicious scripts into web pages generated by the library. It affects applications using markdown-it 14.1.0 for rendering user-controlled markdown content. The vendor disputes this is a vulnerability, but the CVSS score indicates moderate risk.

💻 Affected Systems

Products:

markdown-it

Versions: 14.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that render untrusted user input with markdown-it. The vendor disputes this is a vulnerability.

📦 What is this software?

Markdown It by Markdown It Project

View all CVEs affecting Markdown It →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites when users view maliciously crafted markdown content.

🟠

Likely Case

Limited XSS attacks against users who view attacker-controlled markdown content, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

With proper output encoding and Content Security Policy, impact is minimal as scripts would be blocked from execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (viewing malicious markdown) and depends on application context. No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.2.0 or later

Vendor Advisory: https://github.com/markdown-it/markdown-it/issues/1122

Restart Required: No

Instructions:

1. Update markdown-it package: npm update markdown-it
2. Verify version is 14.2.0 or higher
3. Test markdown rendering functionality

🔧 Temporary Workarounds

Input Sanitization

all

Sanitize all user-provided markdown before passing to markdown-it renderer

Content Security Policy

all

Implement strict CSP headers to block inline script execution

🧯 If You Can't Patch

Implement strict output encoding for all markdown-rendered content
Disable markdown rendering for untrusted user input

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list markdown-it

Check Version:

npm list markdown-it | grep markdown-it

Verify Fix Applied:

Verify markdown-it version is 14.2.0 or higher: npm list markdown-it

📡 Detection & Monitoring

Log Indicators:

Unusual markdown input patterns
Multiple failed markdown parsing attempts

Network Indicators:

Script tags in markdown content
Unusual external resource loading from markdown

SIEM Query:

search 'markdown parsing error' OR 'script injection attempt' in application logs

📊 Metadata

CVE ID: CVE-2025-7969

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: August 21, 2025

Last Updated: December 22, 2025

🔗 References

https://fluidattacks.com/advisories/fito Exploit,Third Party Advisory
https://github.com/markdown-it/markdown-it Product
https://github.com/markdown-it/markdown-it/issues/1122 Issue Tracking
https://fluidattacks.com/advisories/fito Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7969, you might also want to check these: