CVE-2017-1000427

Vulnerability

marked version 0.3.6 and earlier contains a cross-site scripting (XSS) vulnerability in the data: URI parser [1]. The parser does not sanitize data URI content when rendering markdown links, allowing an attacker to inject arbitrary HTML or JavaScript. The vulnerable versions are all releases prior to 0.3.7 [1][4].

Exploitation

An attacker can craft a markdown link with a data: URI that contains base64-encoded JavaScript or HTML, such as `xss link [1]. If a user views the rendered markdown output, the browser executes the embedded script. No authentication or special network position is required beyond the ability to provide markdown content that is processed by a vulnerable marked` instance, such as a comment, document, or message on a web application using the library.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when the rendered markdown is loaded [1]. This can lead to theft of session cookies, exfiltration of sensitive data, defacement, or other client-side attacks. The attacker gains the same privileges as the victim user within the affected application.

Mitigation

Upgrade marked to version 0.3.7 or later, where the data: URI parser properly validates or blocks malicious content [1][4]. No workaround is available for earlier versions; applications should also implement output sanitization using libraries such as DOMPurify as a defense-in-depth measure [3].