CVE-2025-54075

Name of the Vulnerable Software and Affected Versions @nuxtjs/mdc versions prior to 0.17.2

Description A remote script-inclusion / stored cross-site scripting issue exists in @nuxtjs/mdc. A Markdown author can inject a <base href="https://attacker.tld"> element, which rewrites how relative URLs are resolved. This allows an attacker to load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context.

Recommendations Update @nuxtjs/mdc to version 0.17.2 or later.