VYPR
← All advisories
Moderate severityNVD Advisory· Published May 13, 2019· Updated Aug 4, 2024

CVE-2019-12043

CVE-2019-12043

Description

CVE-2019-12043 is an XSS vulnerability in remarkable 1.7.1 due to insufficient URL filtering of ASCII control characters, allowing attackers to inject malicious JavaScript via unprintable characters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2019-12043 is an XSS vulnerability in remarkable 1.7.1 due to insufficient URL filtering of ASCII control characters, allowing attackers to inject malicious JavaScript via unprintable characters.

Root

Cause

CVE-2019-12043 affects remarkable 1.7.1, a JavaScript Markdown parser. The vulnerability resides in lib/parser_inline.js, where URL filtering logic fails to properly handle ASCII control characters (codes < 0x20 and 0x7F). Specifically, the original code only blocked characters in a narrow range (0x08 to 0x0D), leaving other control characters unblocked. An attacker can prepend a control character such as \x0e (shift out) before the javascript: scheme, bypassing the intended URL validation [1][2].

Attack

Vector

Exploitation requires no authentication and can be achieved by crafting a Markdown link with a control character inserted before the javascript: scheme. For example, `click me) will render as an HTML anchor tag with href=" javascript:alert(1)". When a victim clicks the link, the browser interprets the javascript:` URL and executes the attacker's script. The attacker can embed such Markdown in any application that uses remarkable to render user-supplied input, such as forums, wikis, or chat systems [3].

Impact

Successful XSS allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The vulnerability is classified as a medium-severity XSS issue, with CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) [1].

Mitigation

The issue was patched in commit 49e87b7ae2dc323d83606792a749fb207595249e, which expanded the control character filter to reject all ASCII control codes (code < 0x20 or code === 0x7F). Users should upgrade to remarkable version 1.7.2 or later. No workaround is available; disabling JavaScript in the browser is not a practical fix for server-side rendering. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of May 2025 [2][3].

References
  1. NVD - CVE-2019-12043
  2. fix: disallow ascii control characters in URLs (#334) · jonschlinkert/remarkable@49e87b7
  3. [Security] bad url bypass, could lead to XSS

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
remarkablenpm
< 1.7.21.7.2

Affected products

2

Patches

1
49e87b7ae2dc

fix: disallow ascii control characters in URLs (#334)

https://github.com/jonschlinkert/remarkableDominykas BlyžėJul 27, 2019via ghsa
commit
2 files changed · +9 1
  • lib/helpers/parse_link_destination.js+2 1 modified
    @@ -52,7 +52,8 @@ module.exports = function parseLinkDestination(state, pos) {
 
     if (code === 0x20) { break; }
 
-    if (code > 0x08 && code < 0x0e) { break; }
+    // ascii control chars
+    if (code < 0x20 || code === 0x7F) { break; }
 
     if (code === 0x5C /* \ */ && pos + 1 < max) {
       pos += 2;
  • test/fixtures/remarkable/xss.txt+7 0 modified
    @@ -77,3 +77,10 @@ javascript:alert(1)
 <p>javascript:alert(1)</p>
 <p>javascript:alert(1)</p>
 .
+
+
+.
+[ASCII control characters XSS](javascript:alert(1))
+.
+<p>[ASCII control characters XSS](javascript:alert(1))</p>
+.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.