VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 15, 2024· Updated Oct 15, 2024

CVE-2024-21535

CVE-2024-21535

Description

Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting (XSS) vulnerability in markdown-to-jsx versions before 7.4.0 allows attackers to execute arbitrary code via a malicious iframe `src` attribute.

Vulnerability

Versions of the package markdown-to-jsx prior to 7.4.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of the src property in iframe elements [1][2][3]. The library's markdown parser allows arbitrary HTML elements, and when processing a malicious markdown string containing an iframe, the src attribute is not properly escaped or validated [1][3]. This permits an attacker to embed a JavaScript payload within the src attribute (e.g., javascript:alert()) that executes in the context of the user's browser [3].

Exploitation

An attacker can craft a markdown document containing an ` tag. If the application renders user-supplied markdown using the vulnerable library, the malicious iframe is injected into the DOM and the JavaScript payload is executed. No special authentication or network position is required beyond the ability to supply markdown content to the application [3]. A proof-of-concept demonstrates the vulnerability with a simple React component rendering the markdown string ` [3].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser session. This can result in session hijacking, data theft, defacement, or other actions typical of stored or reflected XSS attacks [2][3]. The vulnerability is classified with a CVSS score indicating medium to high severity, as it allows client-side code execution without user interaction beyond viewing the content.

Mitigation

The vulnerability is fixed in version 7.4.0 of markdown-to-jsx [3]. The fix ensures that the src attribute of iframes is sanitized before rendering [4]. Users should upgrade to version 7.4.0 or later. No known workarounds are documented; disabling HTML iframe rendering or applying an external sanitizer may mitigate the risk but are not official recommendations.

References
  1. GitHub - quantizor/markdown-to-jsx: A very fast and versatile markdown toolchain. Output to AST, React, React Native, SolidJS, Vue, HTML, and more!
  2. NVD - CVE-2024-21535
  3. Snyk Vulnerability Database | Snyk
  4. fix: ensure `src` prop is sanitized · quantizor/markdown-to-jsx@8eb74da

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
markdown-to-jsxnpm
< 7.4.07.4.0

Affected products

3

Patches

1
8eb74da825c0

fix: ensure `src` prop is sanitized

https://github.com/quantizor/markdown-to-jsxEvan JacobsJan 1, 2024via ghsa
commit
1 file changed · +1 1
  • index.tsx+1 1 modified
    @@ -662,7 +662,7 @@ function attributeValueToJSXPropValue(
 
       return styles
     }, {})
-  } else if (key === 'href') {
+  } else if (key === 'href' || key === 'src') {
     return sanitizeUrl(value)
   } else if (value.match(INTERPOLATION_R)) {
     // return as a string and let the consumer decide what to do with it

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.