CVE-2025-66400

ADVISORY - github

Summary

Impact

Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown:

```js&#x20;xss
```

Would create <pre><code class="language-js xss"></code></pre> If your page then applied .xss classes (or listeners in JS), those apply to this element. For more info see https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute

Patches

The bug was patched. When using regular semver, run npm install. For exact ranges, make sure to use 13.2.1.

Workarounds

Update.

References

EPSS Score⁠: 0.00076 (0.226)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

CWE-915⁠

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-other⁠

ADVISORY - github

CWE-20⁠

Improper Input Validation

CWE-915⁠

Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADVISORY - redhat

(CWE-20|CWE-915)⁠

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.