CVE-2025-66400

MEDIUM

mdast-util-to-hast <13.2.1 - Info Disclosure

Title source: llm

Description

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

References (3)

[Vendor Advisory] https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m

[Patch] https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403

View Patch ZIP pw:eip

[Patch] https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-915 CWE-20

Status published

Products (2)

npm/mdast-util-to-hast 13.0.0 - 13.2.1npm

unifiedjs/mdast-util-to-hast 13.0.0 - 13.2.1

Published Dec 01, 2025

Tracked Since Feb 18, 2026