VYPR
← All advisories
High severity8.3OSV Advisory· Published Jul 18, 2025· Updated Apr 15, 2026

CVE-2025-54075

CVE-2025-54075

Description

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Prior to version 0.17.2, a remote script-inclusion / stored cross-site scripting vulnerability in @nuxtjs/mdc lets a Markdown author inject a <base href="https://attacker.tld"> element. The <base> tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context. Version 0.17.2 contains a fix for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nuxtjs/mdcnpm
< 0.17.20.17.2

Affected products

1

Patches

3
3657a5bf2326
https://github.com/nuxt-content/mdcvia osv
a69242835d10
https://github.com/nuxt-modules/mdcvia osv
3657a5bf2326

Merge commit from fork

https://github.com/nuxt-modules/mdcFarnabazJul 18, 2025via ghsa
commit
1 file changed · +10 5
  • src/runtime/components/MDCRenderer.vue+10 5 modified
    @@ -24,6 +24,11 @@ const specialParentTags = ['math', 'svg']
 
 const proseComponentMap = Object.fromEntries(['p', 'a', 'blockquote', 'code', 'pre', 'code', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'img', 'ul', 'ol', 'li', 'strong', 'table', 'thead', 'tbody', 'td', 'th', 'tr', 'script'].map(t => [t, `prose-${t}`]))
 
+/**
+ * Tags that are dangerous and should be rendered as plain text
+ */
+const dangerousTags = ['script', 'base']
+
 export default defineComponent({
   name: 'MDCRenderer',
   props: {
@@ -181,13 +186,13 @@ function _renderNode(node: MDCNode, h: CreateElement, options: MDCRenderOptions,
 
   const _resolveComponent = isUnresolvableTag(renderTag) ? (component: unknown) => component : resolveComponent
 
-  // Prevent script execution by converting script tags to pre tags
-  // This code will excute only when prose components are disabled, otherwise the script will be handled by ProseScript component
-  if (renderTag === 'script') {
+  // Prevent script execution by converting dangerous tags to pre tags
+  // This security check can be bypassed by Prose components.
+  if (dangerousTags.includes(renderTag)) {
     return h(
       'pre',
-      { class: 'script-to-pre' },
-      '<' + 'script' + '>\n' + nodeTextContent(node) + '\n<' + '/script' + '>'
+      { class: 'mdc-renderer-dangerous-tag' },
+      '<' + renderTag + '>' + nodeTextContent(node) + '<' + '/' + renderTag + '>'
     )
   }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.