CVE-2022-41710

Name of the Vulnerable Software and Affected Versions Markdownify version 1.4.1

Description The issue allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a Content Security Policy (CSP) or at least not a strict enough one, and/or does not properly validate the contents of markdown files before rendering them.

Recommendations For Markdownify version 1.4.1, consider implementing a strict Content Security Policy (CSP) and properly validating the contents of markdown files before rendering them to prevent exploitation. As a temporary workaround, consider restricting the use of Markdownify until a patch is available.