VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 8, 2021· Updated Aug 4, 2024

CVE-2021-38186

CVE-2021-38186

Description

An issue was discovered in the comrak crate before 0.10.1 for Rust. It mishandles & characters, leading to XSS via &# HTML entities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Comrak Rust crate before 0.10.1 mishandles & characters, allowing XSS via crafted HTML entities.

Vulnerability

The comrak crate (a CommonMark and GFM Markdown parser/renderer) before version 0.10.1 mishandles & characters, leading to cross-site scripting (XSS) via &# HTML entities [1][2]. The bug exists in the HTML entity parsing logic, allowing an attacker to inject arbitrary HTML/JavaScript when user-supplied Markdown is rendered.

Exploitation

An attacker can craft Markdown input containing malicious &# sequences that bypass sanitization. No special privileges are required; the attacker only needs to submit the crafted Markdown to an application using the vulnerable comrak version. The parser incorrectly processes these entities, resulting in the injection of arbitrary HTML attributes or script tags.

Impact

Successful exploitation leads to stored or reflected XSS, depending on the application context. The attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The vulnerability affects all uses of comrak before 0.10.1.

Mitigation

The issue is fixed in comrak version 0.10.1, released on May 4, 2021 [3][4]. Users should upgrade to 0.10.1 or later. No workarounds are documented; upgrading is the recommended action.

References
  1. GitHub - kivikakk/comrak: CommonMark + GFM compatible Markdown parser and renderer
  2. NVD - CVE-2021-38186
  3. Comparing 0.10.0...0.10.1 · kivikakk/comrak
  4. Release 0.10.1 · kivikakk/comrak

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
comrakcrates.io
< 0.10.10.10.1

Affected products

2

Patches

1
b72340cabe47

SECURITY: escape ampersands in hrefs

https://github.com/kivikakk/comrakAsherah ConnorMay 4, 2021via ghsa
commit
2 files changed · +9 1
  • src/html.rs+1 1 modified
    @@ -275,7 +275,7 @@ impl<'o> HtmlFormatter<'o> {
         lazy_static! {
             static ref HREF_SAFE: [bool; 256] = {
                 let mut a = [false; 256];
-                for &c in b"-_.+!*'(),%#@?=;:/,+&$~abcdefghijklmnopqrstuvwxyz".iter() {
+                for &c in b"-_.+!*(),%#@?=;:/,+$~abcdefghijklmnopqrstuvwxyz".iter() {
                     a[c as usize] = true;
                 }
                 for &c in b"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".iter() {
  • src/tests.rs+8 0 modified
    @@ -421,6 +421,14 @@ fn reference_links() {
     );
 }
 
+#[test]
+fn link_entity_regression() {
+    html(
+        "[link](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)",
+        "<p><a href=\"&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29\">link</a></p>\n",
+    );
+}
+
 #[test]
 fn strikethrough() {
     html_opts!(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.