In the ever-changing world of web security, Cross-site Scripting (XSS) remains a stubborn and dangerous vulnerability, often lurking where input isn’t sanitized properly. In 2022, a significant XSS vulnerability—CVE-2022-25849—was found in the markdown parser package joyqi/hyper-down. Anyone using this package (from version .. onwards) is at risk of exposing their users and data to potential cross-site scripting attacks.
Let’s dig into what CVE-2022-25849 is, how the vulnerability can be exploited, and how to protect your applications. We’ll use simple language, step-by-step code snippets, and connect you directly to original sources.
What is CVE-2022-25849?
CVE-2022-25849 is an identifier given to a security bug in the joyqi/hyper-down markdown parsing package. This bug allows attackers to inject malicious JavaScript code through specially crafted markdown links. The problem is in the way the library filters (or rather, doesn’t filter correctly) the href attributes inside link markdown.
In simple terms: If you display user-supplied markdown with hyper-down and the user includes a harmful link, that JavaScript code can execute in your users’ browsers.
Hijack user accounts or perform actions on their behalf
All of this can be done if the attacker manages to inject JavaScript code via the markdown content.
How It Happens: A Simple Example
Suppose you run a forum or comment section and use hyper-down to render posts written in markdown.
A normal markdown link looks like this
Google
But a bad actor could submit this
[Click Me](javascript:alert('XSS'))
Or, more sneakily
[Surprise!](javascript:alert(document.cookie))
If you use joyqi/hyper-down as your markdown parser, the code behind the scenes may render this as
<a href="javascript:alert('XSS')">Click Me</a>
When anyone clicks the link, *their browser* runs the injected JavaScript!
Here’s a mini-app simulating how the vulnerability works
<?php
require 'vendor/autoload.php';
use HyperDown\Parser;
$parser = new Parser();
$user_markdown = "[I'm Evil](javascript:alert('XSS from hyper-down!'))";
echo $parser->makeHtml($user_markdown);
?>
This code outputs
<p><a href="javascript:alert('XSS from hyper-down!')">I'm Evil</a></p>
If you click the link in the browser, an alert will pop up, proving that the user’s JS code runs in the page context.
1. Don’t Trust User Input
Never trust user-submitted markdown. Sanitize it before rendering!
2. Filter Unsafe Protocols
Before rendering, filter out links that start with javascript:, data:, or other potentially unsafe schemes.
Example (PHP snippet)
function safeHref($href) {
// Only allow http or https URLs
return preg_match('/^https?:\/\//i', $href);
}
$link = "javascript:alert(1)";
if (!safeHref($link)) {
echo "Unsafe link blocked!";
}
3. Use Updated Libraries
There aren’t many updates to hyper-down. Consider using alternative, maintained libraries that specifically patch XSS vulnerabilities, like Parsedown (with Secured extension).
4. Escape HTML Output
If you must use hyper-down, make sure to escape the output where possible to prevent execution of unsafe scripts.
Official NVD entry for CVE-2022-25849:
https://nvd.nist.gov/vuln/detail/CVE-2022-25849
- joyqi/hyper-down on GitHub:
https://github.com/joyqi/hyper-down
Security guide for markdown-it (Node.js):
https://github.com/markdown-it/markdown-it/issues/340
Markdown and XSS: How common is it?
https://markdown-xss.github.io/
Conclusion
If your PHP project uses joyqi/hyper-down for rendering markdown, you might be open to XSS attacks through malicious markdown links. Always validate and sanitize all user input, prefer safer markdown libraries, and patch urgent vulnerabilities like CVE-2022-25849 as soon as possible.
Timeline
Published on: 10/26/2022 05:15:00 UTC
Last modified on: 11/03/2022 13:59:00 UTC