CVE-2023-31874
Description
Yank Note 3.52.1 allows arbitrary code execution via nodeRequire in crafted files, enabling full system compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yank Note 3.52.1 allows arbitrary code execution via nodeRequire in crafted files, enabling full system compromise.
Vulnerability
Yank Note (YN) version 3.52.1 contains a code execution vulnerability that triggers when a user opens a crafted file. The issue arises from the application's use of nodeRequire('child_process') within the editor, which processes arbitrary JavaScript from the document content without proper sanitization [1]. This allows an attacker to embed malicious code that executes in the context of the Yank Note application.
Exploitation
To exploit this vulnerability, an attacker needs to craft a file containing a malicious payload that uses nodeRequire('child_process') to execute system commands. The attacker then must convince a victim to open the crafted file in Yank Note 3.52.1. No special network position or authentication is required beyond standard file access [1]. The exploitation occurs immediately upon file open, as Yank Note processes the embedded code without user interaction beyond opening the file.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the victim's system with the privileges of the Yank Note process. This can lead to full compromise of the host, including data exfiltration, installation of malware, or further lateral movement within the network. The impact is complete loss of confidentiality, integrity, and availability [1].
Mitigation
As of May 2023, a fixed version has not been disclosed in the available references. Users should avoid opening untrusted files in Yank Note 3.52.1 and monitor for updates from the vendor. No workaround has been published [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Yank Note/Yank Notedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application allows arbitrary code execution when a specially crafted markdown file is opened."
Attack vector
An attacker can create a markdown file containing an iframe with a malformed srcdoc attribute. This attribute includes an img tag with an onerror event handler. The event handler executes JavaScript that calls `nodeRequire('child_process').execSync` to run arbitrary commands, such as opening a calculator application [ref_id=1]. The vulnerability is triggered when a victim opens this crafted file within Yank Note v3.52.1 [ref_id=1].
Affected code
The vulnerability is present in Yank Note v3.52.1. The exploit payload demonstrates the use of `nodeRequire('child_process').execSync` within an onerror event handler of an img tag inside an iframe's srcdoc attribute, indicating that the application's markdown rendering or script execution capabilities are susceptible to this injection [ref_id=1].
What the fix does
The advisory does not provide details on a specific patch or fix. It recommends that users update to the latest version of Yank Note. Users should consult the vendor for specific remediation guidance.
Preconditions
- inputA specially crafted markdown file (.md) containing malicious HTML and JavaScript.
- configThe target must be running Yank Note version 3.52.1.
Reproduction
Create a markdown file (.md) in any text editor and write the following payload. Mac: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>">
Ubuntu: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>">
Opening the file in Yank Note will auto execute the Calculator application. [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.