CVE-2021-27671
Description
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-27671: XSS in the comrak Markdown parser due to case-sensitive URI scheme filtering allows Data: URIs to execute arbitrary JavaScript.
Root
Cause In comrak versions prior to 0.9.1, the protection mechanism that sanitizes data: and javascript: URIs is case-sensitive. This means only the exact lowercase forms data: and javascript: are blocked, while alternative capitalizations such as Data: or Javascript: are not filtered, allowing an attacker to inject malicious URIs that are still interpreted by browsers. [1][2][4]
Attack
Vector The vulnerability is triggered when a user parses and renders untrusted Markdown input. An attacker can craft a Markdown link or image with a URI like Data:text/html, instead of data:.... Since the sanitizer only matches the lowercase scheme, the malicious URI is passed through unmodified. No authentication or special privileges are required; the attacker only needs to convince a victim to view the rendered output (user interaction). [3][4]
Impact
Successful exploitation leads to cross-site scripting (XSS) when the rendered HTML is rendered in a browser. The attacker can execute arbitrary JavaScript in the context of the user's session, potentially leading to data theft, session hijacking, or further attacks on the user's browser. The CVSSv3.1 score is 6.1 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. [4]
Mitigation
The issue is fixed in comrak version 0.9.1 and later. Users should upgrade to the latest version. There are no known workarounds besides upgrading. The vulnerability is also tracked as GHSA-xmr7-v725-2jjr in the GitHub Advisory Database. [3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
comrakcrates.io | < 0.9.1 | 0.9.1 |
Affected products
2- Rust/comrakdescription
Patches
1b3efbb6e427bSECURITY: match unsafe prefixes case-insensitively
2 files changed · +9 −1
src/lexer.pest+1 −1 modified@@ -55,4 +55,4 @@ table_start = { "|"? ~ table_marker ~ ("|" ~ table_marker)* ~ "|"? ~ table_space table_cell_end = { "|" ~ table_spacechar* ~ table_newline? } table_row_end = { table_spacechar* ~ table_newline } -dangerous_url = { "data:" ~ !("image/" ~ ("png" | "gif" | "jpeg" | "webp")) | "javascript:" | "vbscript:" | "file:" } +dangerous_url = { ^"data:" ~ !(^"image/" ~ (^"png" | ^"gif" | ^"jpeg" | ^"webp")) | ^"javascript:" | ^"vbscript:" | ^"file:" }
src/tests.rs+8 −0 modified@@ -972,6 +972,14 @@ fn description_lists() { ); } +#[test] +fn case_insensitive_safety() { + html( + "[a](javascript:a) [b](Javascript:b) [c](jaVascript:c) [d](data:xyz) [e](Data:xyz) [f](vbscripT:f) [g](FILE:g)\n", + "<p><a href=\"\">a</a> <a href=\"\">b</a> <a href=\"\">c</a> <a href=\"\">d</a> <a href=\"\">e</a> <a href=\"\">f</a> <a href=\"\">g</a></p>\n", + ); +} + #[test] fn exercise_full_api() { let arena = ::Arena::new();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xmr7-v725-2jjrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27671ghsaADVISORY
- github.com/kivikakk/comrak/commit/b3efbb6e427bcd33bb14db45753ad4fd98e0f5bfghsaWEB
- github.com/kivikakk/comrak/releases/tag/0.9.1ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0026.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.