Bug 2418157 (CVE-2025-66400) - CVE-2025-66400 mdast-util-to-hast: mdast-util-to-hast: Markdown code elements can appear as regular page content
Summary: CVE-2025-66400 mdast-util-to-hast: mdast-util-to-hast: Markdown code elements...
Keywords:
Status: NEW
Alias: CVE-2025-66400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2422986 2422987 2422988 2422991 2422994 2422989 2422990 2422992 2422993
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-01 23:01 UTC by OSIDB Bzimport
Modified: 2025-12-17 06:36 UTC (History)
93 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-01 23:01:51 UTC 
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
Note You need to log in before you can comment on or make changes to this bug.