Bug 2390127 (CVE-2025-7969)

Summary:	CVE-2025-7969 markdown-it: Markdown-it Cross-site scripting
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abarbaro, alizardo, dhanak, drosa, dsimansk, jcantril, jchui, jhe, kingland, ktsao, kverlaen, matzew, mnovotny, nboldt, oaljalju, psrna, rojacob, sausingh, sdawley
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A cross-site scripting vulnerability was found in the markdown-it npm library. This flaw is related to incomplete sanitization during the processing of code blocks.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2390139, 2390140, 2390141, 2390142, 2390143, 2390144, 2390145, 2390146, 2390147, 2390148, 2390149
Bug Blocks:

Description OSIDB Bzimport 2025-08-21 17:01:35 UTC

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs.

This issue affects markdown-it: 14.1.0.