CVE-2025-66400: mdast-util-to-hast unsanitized class attribute

Published Dec 1, 2025
·
Updated

### Impact Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown `code` elements appear like the rest of the page. The following markdown: ````markdown ```js&#x20;xss ``` ```` Would create `<pre><code class="language-js xss"></code></pre>` If your page then applied `.xss` classes (or listeners in JS), those apply to this element. For more info see <https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute> ### Patches The bug was patched. When using regular semver, run `npm install`. For exact ranges, make sure to use `13.2.1`. ### Workarounds Update. ### References * bug introduced in https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 * bug fixed in https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

Affected Software

4 affected componentsFixes available
mdast mdast-util-to-hast>13.0.0<=13.2.1
npm/mdast-util-to-hast>=13.0.0<13.2.1
13.2.1
Unifiedjs Mdast-util-to-hast Node.js>=13.0.0<13.2.1
IBM Concert Software<=1.0.0-2.2.0

Remediation

Patch Available

https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403

Patch Available

https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

Event History

Dec 1, 2025
CVE Published
via MITRE·10:17 PM
Data Sourced
via MITRE·10:17 PM
DescriptionWeakness
Data Sourced
via NVD·11:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·11:15 PM
RemedyAffected Software
Dec 2, 2025
Advisory Published
via GitHub·01:25 AM
Data Sourced
via GitHub·01:25 AM
DescriptionWeaknessAffected Software
Apr 6, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-66400?

CVE-2025-66400 has a high severity due to the potential for untrusted user content to be manipulated.

2

How do I fix CVE-2025-66400?

To fix CVE-2025-66400, update mdast-util-to-hast to version 13.2.1 or later.

3

What versions are affected by CVE-2025-66400?

CVE-2025-66400 affects mdast-util-to-hast from version 13.0.0 to before 13.2.1.

4

What kind of attack does CVE-2025-66400 vulnerability enable?

CVE-2025-66400 enables user-supplied markdown code to be rendered using unprefixed classnames, which may lead to CSS styling conflicts.

5

Is user input affected by CVE-2025-66400?

Yes, CVE-2025-66400 specifically impacts user input processed through the mdast-util-to-hast module.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203