mdex_native is vulnerable to Cross-site Scripting (XSS)
23
Low Risk
mdex_native is vulnerable to Cross-site Scripting when rendering Markdown with syntax highlighting and full info-string forwarding enabled (render: [full_info_string: true]). The Lumis adapter (LumisAdapter::parse_custom_attributes in lumis_adapter.rs) copies the highlight_lines_class value from a fenced code block's info string verbatim into the class attribute of each highlighted line without HTML escaping. An attacker who controls the Markdown can use a shlex-quoted payload such as '"> alert(1) ' to terminate the attribute early and inject arbitrary HTML and JavaScript that runs in every viewer's browser.
You are affected if you are using a version that falls within the vulnerable range.
mdex_native is vulnerable to Cross-site Scripting (XSS) in versions 0.1.0 - 0.2.2.
Upgrade the mdex_native library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant