VYPR
Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 2, 2025

mdast-util-to-hast unsanitized class attribute

CVE-2025-66400

Description

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mdast-util-to-hastnpm
>= 13.0.0, < 13.2.113.2.1

Affected products

23

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.