VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 3, 2018· Updated Sep 16, 2024

CVE-2017-1000491

CVE-2017-1000491

Description

Shiba markdown preview app v1.1.0 enabled Node.js integration, allowing XSS to escalate to remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shiba markdown preview app v1.1.0 enabled Node.js integration, allowing XSS to escalate to remote code execution.

Vulnerability

Shiba markdown live preview app version 1.1.0 is vulnerable to stored cross-site scripting (XSS) because the application enables Node.js integration in its Electron webview [1], [2]. The markdown renderer does not sanitize user-supplied markdown input, allowing arbitrary HTML and JavaScript to be injected. The flaw exists in code paths that parse and display markdown snippets, and is reachable by simply opening a malicious markdown file or previewing untrusted content.

Exploitation

An attacker only needs to deliver a crafted markdown file to the victim, who then opens it in Shiba 1.1.0. Because Node.js integration is enabled, the injected XSS payload can call Node.js APIs (e.g., require('child_process')) directly from the preview context. No additional authentication or network position is required; user interaction is limited to opening the malformed markdown file.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Electron renderer process, but due to enabled Node.js integration this escalates to full remote code execution (RCE) on the victim's system. The attacker gains the privileges of the user running Shiba, compromising confidentiality, integrity, and availability of the host machine.

Mitigation

The vulnerability is fixed in commit e8a65b0f81eb04903eedd29500d7e1bedf249eab [3], which restricts Node.js integration. Users should upgrade to a version containing this fix. No workarounds are available if the application remains on version 1.1.0. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalogue as of the publication date.

References
  1. NVD - CVE-2017-1000491
  2. XSS to RCE vulnerability report
  3. improve marked renderer · rhysd/Shiba@e8a65b0

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shibanpm
< 1.1.11.1.1

Affected products

1

Patches

1
e8a65b0f81eb

improve marked renderer

https://github.com/rhysd/ShibarhysdNov 28, 2017via ghsa
commit
4 files changed · +6 169
  • package.json+2 1 modified
    @@ -51,9 +51,10 @@
     "@types/empower": "^1.2.30",
     "@types/es6-promise": "0.0.33",
     "@types/he": "^0.5.29",
-    "@types/highlight.js": "^9.12.1",
+    "@types/highlight.js": "^9.12.2",
     "@types/js-yaml": "^3.9.1",
     "@types/katex": "0.5.0",
+    "@types/marked": "^0.3.0",
     "@types/mocha": "^2.2.44",
     "@types/mousetrap": "^1.5.34",
     "@types/node": "8.0.53",
  • renderer/markdown-preview.ts+4 1 modified
    @@ -41,17 +41,20 @@ marked.setOptions({
         }
     },
 
+    // @ts-ignore: emoji is a dedicated method added by my fork
     emoji(name: string) {
         return emoji_replacer.replaceOne(name);
     },
+
+    sanitize: 1,
 });
 
 const REGEX_CHECKED_LISTITEM = /^\[x]\s+/;
 const REGEX_UNCHECKED_LISTITEM = /^\[ ]\s+/;
 
 class MarkdownRenderer {
     public outline: Heading[];
-    private renderer: MarkedRenderer;
+    private renderer: marked.Renderer;
     private link_id: number;
     private tooltips: string;
  • renderer/marked.d.ts+0 166 removed
    @@ -1,166 +0,0 @@
-// Generated by typings
-// Source: https://raw.githubusercontent.com/DefinitelyTyped/DefinitelyTyped/9cfdb11648f823b889287c770254b85b78a7a4a4/marked/marked.d.ts
-interface MarkedStatic {
-    Renderer: {
-        new(): MarkedRenderer;
-    };
-
-    Parser: {
-        new(options: MarkedOptions): MarkedParser;
-    };
-
-    /**
-     * Compiles markdown to HTML.
-     *
-     * @param src String of markdown source to be compiled
-     * @param callback Function called when the markdownString has been fully parsed when using async highlighting
-     * @return String of compiled HTML
-     */
-    (src: string, callback: (...args: any[]) => void): string;
-
-    /**
-     * Compiles markdown to HTML.
-     *
-     * @param src String of markdown source to be compiled
-     * @param options Hash of options
-     * @param callback Function called when the markdownString has been fully parsed when using async highlighting
-     * @return String of compiled HTML
-     */
-    (src: string, options?: MarkedOptions, callback?: (...args: any[]) => void): string;
-
-    /**
-     * @param src String of markdown source to be compiled
-     * @param options Hash of options
-     */
-    lexer(src: string, options?: MarkedOptions): any[];
-
-    /**
-     * Compiles markdown to HTML.
-     *
-     * @param src String of markdown source to be compiled
-     * @param callback Function called when the markdownString has been fully parsed when using async highlighting
-     * @return String of compiled HTML
-     */
-    parse(src: string, callback: (...args: any[]) => void): string;
-
-    /**
-     * Compiles markdown to HTML.
-     *
-     * @param src String of markdown source to be compiled
-     * @param options Hash of options
-     * @param callback Function called when the markdownString has been fully parsed when using async highlighting
-     * @return String of compiled HTML
-     */
-    parse(src: string, options?: MarkedOptions, callback?: (...args: any[]) => void): string;
-
-    /**
-     * @param options Hash of options
-     */
-    parser(src: any[], options?: MarkedOptions): string;
-
-    /**
-     * Sets the default options.
-     *
-     * @param options Hash of options
-     */
-    setOptions(options: MarkedOptions): MarkedStatic;
-}
-
-interface MarkedRenderer {
-    code(code: string, language: string): string;
-    blockquote(quote: string): string;
-    html(html: string): string;
-    heading(text: string, level: number, raw: string): string;
-    hr(): string;
-    list(body: string, ordered: boolean): string;
-    listitem(text: string): string;
-    paragraph(text: string): string;
-    table(header: string, body: string): string;
-    tablerow(content: string): string;
-    tablecell(content: string, flags: {
-        header: boolean,
-        align: string
-    }): string;
-    strong(text: string): string;
-    em(text: string): string;
-    codespan(code: string): string;
-    br(): string;
-    del(text: string): string;
-    link(href: string, title: string, text: string): string;
-    image(href: string, title: string, text: string): string;
-    text(text: string): string;
-}
-
-interface MarkedParser {
-    parse(source: any[]): string;
-}
-
-interface MarkedOptions {
-    /**
-     * Type: object Default: new Renderer()
-     *
-     * An object containing functions to render tokens to HTML.
-     */
-    renderer?: MarkedRenderer;
-
-    /**
-     * Enable GitHub flavored markdown.
-     */
-    gfm?: boolean;
-
-    /**
-     * Enable GFM tables. This option requires the gfm option to be true.
-     */
-    tables?: boolean;
-
-    /**
-     * Enable GFM line breaks. This option requires the gfm option to be true.
-     */
-    breaks?: boolean;
-
-    /**
-     * Conform to obscure parts of markdown.pl as much as possible. Don't fix any of the original markdown bugs or poor behavior.
-     */
-    pedantic?: boolean;
-
-    /**
-     * Sanitize the output. Ignore any HTML that has been input.
-     */
-    sanitize?: boolean;
-
-    /**
-     * Use smarter list behavior than the original markdown. May eventually be default with the old behavior moved into pedantic.
-     */
-    smartLists?: boolean;
-
-    /**
-     * Shows an HTML error message when rendering fails.
-     */
-    silent?: boolean;
-
-    /**
-     * A function to highlight code blocks. The function takes three arguments: code, lang, and callback.
-     */
-    highlight?: (code: string, lang: string, callback?: (...args: any[]) => void) => string;
-
-    /**
-     * Set the prefix for code block classes.
-     */
-    langPrefix?: string;
-
-    /**
-     * Use 'smart' typograhic punctuation for things like quotes and dashes.
-     */
-    smartypants?: boolean;
-
-    /**
-     * Forked 'emoji' inline images
-     */
-    emoji?: (name: string) => string;
-}
-
-declare module 'marked' {
-    const marked: MarkedStatic;
-    export = marked;
-}
-
  • renderer/tsconfig.json+0 1 modified
    @@ -18,7 +18,6 @@
     "index.ts",
     "keyboard.ts",
     "lib.d.ts",
-    "marked.d.ts",
     "lint-message.ts",
     "lint-panel.ts",
     "markdown-preview.ts",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.