PT-2026-53680 · Git+1 · Mdex+1
Leandro Pereira
+1
·
Publicado
2026-06-29
·
Atualizado
2026-06-29
·
CVE-2026-53427
CVSS v4.0
2.3
Baixa
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full info string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight lines class info-string attribute, unescaped, into the class attribute of every rendered line. comrak nif::lumis adapter::LumisAdapter::parse custom attributes in native/comrak nif/src/lumis adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight lines config pulls highlight lines class into the per-line class value, and write highlighted interpolates that value directly into the class attribute of the per-line
. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '">' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak nif/src/lumis adapter.rs) and was later extracted into the separate mdex native package (native/mdex native nif/src/lumis adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex native from 0.1.0 before 0.2.3.
Workaround
Do not enable full info-string forwarding (render: [full info string: true]) when rendering untrusted Markdown, which prevents the highlight lines class attribute from reaching the highlighter. Alternatively, restrict highlight lines class values to a safe character set (for example [A-Za-z0-9 - ]) before rendering.
Configuration
The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax highlight: [formatter: {:html inline, ...}] or {:html linked, ...}) and with full info-string forwarding enabled (render: [full info string: true]). Full info-string forwarding is required for comrak to hand the highlight lines class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mdex
Mdex Native