Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 2, 2025
mdast-util-to-hast unsanitized class attribute
CVE-2025-66400
Description
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mdast-util-to-hastnpm | >= 13.0.0, < 13.2.1 | 13.2.1 |
Affected products
1- Range: >= 13.0.0, < 13.2.1
Patches
2ab3a79570a1aFix support for spaces in class names
2 files changed · +12 −2
lib/handlers/code.js+5 −2 modified@@ -18,9 +18,12 @@ export function code(state, node) { const value = node.value ? node.value + '\n' : '' /** @type {Properties} */ const properties = {} + // Someone can write `js python	ruby`. + const language = node.lang ? node.lang.split(/\s+/) : [] - if (node.lang) { - properties.className = ['language-' + node.lang] + // GH/CM still drop the non-first languages. + if (language.length > 0) { + properties.className = ['language-' + language[0]] } // Create `<code>`.
test/code.js+7 −0 modified@@ -34,6 +34,13 @@ test('code', async function (t) { } ) + await t.test('should transform `lang` w/ spaces', async function () { + assert.deepEqual( + toHast({type: 'code', lang: 'js python\truby', value: 'echo()'}), + h('pre', [h('code', {className: ['language-js']}, 'echo()\n')]) + ) + }) + await t.test('should support `meta`', async function () { assert.deepEqual( toHast({type: 'code', lang: 'js', meta: 'echo', value: 'foxtrot()'}),
6fc783ae6abdChange to remove support for ancient `lang` on `code` with spaces
1 file changed · +2 −5
lib/handlers/code.js+2 −5 modified@@ -20,14 +20,11 @@ */ export function code(state, node) { const value = node.value ? node.value + '\n' : '' - // To do: next major, use `node.lang` w/o regex, the splitting’s been going - // on for years in remark now. - const lang = node.lang ? node.lang.match(/^[^ \t]+(?=[ \t]|$)/) : undefined /** @type {Properties} */ const properties = {} - if (lang) { - properties.className = ['language-' + lang] + if (node.lang) { + properties.className = ['language-' + node.lang] } // Create `<code>`.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4fh9-h7wg-q85mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66400ghsaADVISORY
- github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403ghsax_refsource_MISCWEB
- github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7ghsax_refsource_MISCWEB
- github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.