Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 2, 2025
mdast-util-to-hast unsanitized class attribute
CVE-2025-66400
Description
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mdast-util-to-hastnpm | >= 13.0.0, < 13.2.1 | 13.2.1 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-2-compatpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-compatpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-2-compatpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-web-3pkg:apk/chainguard/langfuse-web-compatpkg:apk/chainguard/langfuse-worker-3pkg:apk/chainguard/librechatpkg:apk/chainguard/librechat-compatpkg:apk/chainguard/librechat-devpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-compatpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/langfuse-web-3pkg:apk/wolfi/langfuse-web-compatpkg:apk/wolfi/langfuse-worker-3pkg:npm/mdast-util-to-hast
< 2.95.12-r2+ 21 more
- (no CPE)range: < 2.95.12-r2
- (no CPE)range: < 2.95.12-r2
- (no CPE)range: < 2.95.12-r2
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 2.95.12-r1
- (no CPE)range: < 2.95.12-r1
- (no CPE)range: < 2.95.12-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 0.8.0-r6
- (no CPE)range: < 0.8.0-r6
- (no CPE)range: < 0.8.0-r6
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: < 3.137.0-r1
- (no CPE)range: >= 13.0.0, < 13.2.1
- Range: >= 13.0.0, < 13.2.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4fh9-h7wg-q85mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66400ghsaADVISORY
- github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403ghsax_refsource_MISCWEB
- github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7ghsax_refsource_MISCWEB
- github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.