CVE-2025-51691

Root

Cause The vulnerability lies in MarkTwo markdown editor commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (latest as of May 2025). The application fails to sanitize user-supplied Markdown before rendering it in the browser, allowing injection of arbitrary HTML/JavaScript. This is a classic cross-site scripting (XSS) weakness in the editor interface [1][2].

Exploitation

An attacker can craft a malicious Markdown document containing embedded `` tags or other XSS payloads. When a victim views the crafted document in MarkTwo, the browser executes the injected JavaScript in the context of the MarkTwo application. No authentication or special privileges are required: the attacker only needs to entice the victim to open the crafted content (e.g., via a shared link or by embedding the content in a comment) [2].

Impact

Successful exploitation enables session hijacking, credential theft, or arbitrary client-side code execution in the victim's browser. The attacker can steal cookies, access local storage, or redirect the victim to phishing pages, all within the security context of the MarkTwo application [1][2].

Mitigation

As of the disclosure date (August 2025), the advisory recommends updating to a patched version. Users should apply proper output encoding or use a Markdown parser that sanitizes dangerous HTML elements. No workaround is available beyond disabling the editor until a fix is deployed [2].