VYPR
← All advisories
Moderate severityGHSA Advisory· Published Oct 26, 2022· Updated May 9, 2025

Cross-site Scripting (XSS)

CVE-2022-25849

Description

The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

joyqi/hyper-down is vulnerable to stored XSS via crafted markdown links due to insufficient href filtering, with no fix available.

Vulnerability

Overview The joyqi/hyper-down package (also known as HyperDown) is a PHP Markdown parser vulnerable to Cross-site Scripting (XSS) because it fails to properly filter the href attribute in markdown links [1]. This allows attackers to inject javascript: URIs that execute arbitrary JavaScript when a user clicks the crafted link.

Exploitation

An attacker can supply markdown text such as `!. When parsed and rendered as HTML, the href` contains a javascript: URI that is not blocked. If a victim clicks the link, the script executes in their browser context [1]. No authentication is required; the attack vector is user interaction.

Impact

Successful exploitation leads to arbitrary JavaScript execution, potentially enabling session hijacking, credential theft, or defacement [2]. The vulnerability affects all versions of the package as no fix has been released.

Mitigation

As of the latest advisory, there is no patched version available [1]. Users should avoid using this library or implement custom filtering to sanitize href attributes. The source code is available on GitHub [3].

References
  1. Snyk Vulnerability Database | Snyk
  2. NVD - CVE-2022-25849
  3. GitHub - segmentfault/HyperDown: 一个结构清晰的,易于维护的,现代的PHP Markdown解析器

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
joyqi/hyper-downPackagist
<= 2.4.27

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.