VYPR
← All advisories
Moderate severityOSV Advisory· Published Mar 15, 2019· Updated Aug 4, 2024

CVE-2019-9844

CVE-2019-9844

Description

Khan Academy's simple-markdown before 0.4.4 allows XSS via data: or vbscript: URIs in markdown links, enabling arbitrary script execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Khan Academy's simple-markdown before 0.4.4 allows XSS via data: or vbscript: URIs in markdown links, enabling arbitrary script execution.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Khan Academy's simple-markdown library prior to version 0.4.4. The library fails to properly sanitize URIs in markdown links, allowing dangerous schemes such as data: and vbscript: to be used. This affects all versions before 0.4.4 [1][3].

Exploitation

An attacker can craft a markdown link containing a data: or vbscript: URI. No authentication or special privileges are required; the exploit is triggered when a user clicks on the malicious link [2]. The attacker does not need any network position beyond being able to serve or inject the markdown content.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other unauthorized actions, depending on the application's use of the library [3].

Mitigation

Upgrade to simple-markdown version 0.4.4 or later, which fixes the issue by blocking dangerous URI schemes. The fix was implemented in pull request #63 [2]. No workarounds have been published for earlier versions [3].

References
  1. GitHub - ariabuckles/simple-markdown: JavaScript markdown parsing, made simple
  2. NVD - CVE-2019-9844
  3. CVE-2019-9844 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simple-markdownnpm
< 0.4.40.4.4

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

11

News mentions

0

No linked articles in our index yet.