CVE-2025-66400 MEDIUM

CVE-2025-66400: mdast-util-to-hast unsanitized class attribute

Vendor Syntax-Tree

Product mdast-util-to-hast

Weakness CWE-20 · Input validation

Published December 1, 2025

Last update December 2, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Key dates

02Disclosure timeline

December 1, 2025 CVE published

December 2, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66400

Related vulnerabilities

CVE-2025-66400: mdast-util-to-hast unsanitized class attribute

01Description

02Disclosure timeline

03References

04Related CVE