mdex is vulnerable to Cross-site Scripting (XSS)
23
Low Risk
mdex is vulnerable to cross-site scripting when rendering Markdown with syntax highlighting and full info-string forwarding enabled (render: [full_info_string: true]). The Lumis adapter (LumisAdapter::parse_custom_attributes in lumis_adapter.rs) copies the highlight_lines_class value from a fenced code block's info string verbatim into the class attribute of each highlighted line without HTML escaping. An attacker who controls the Markdown can use a shlex-quoted payload such as '"> alert(1) ' to terminate the attribute early and inject arbitrary HTML and JavaScript that runs in every viewer's browser.
You are affected if you are using a version that falls within the vulnerable range.
mdex is vulnerable to Cross-site Scripting (XSS) in versions 0.11.3 - 0.12.2.
Upgrade the mdex library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant