Cross-site scripting via unescaped metadata title allows arbitrary code execution
Summary
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page. A flaw was found in showdown. This cross-site scripting (XSS) vulnerability occurs in the metadata title handling when the `completeHTMLDocument` option is enabled. This allows the attacker to break out of the HTML title context and execute arbitrary HTML and JavaScript, potentially leading to information disclosure or arbitrary code execution in the user's browser. Red Hat rates this flaw as Moderate. Exploitation requires two non-default showdown options enabled simultaneously: metadata and completeHTMLDocument, both of which default to false. Red Hat products that ship showdown do not enable completeHTMLDocument in their default configurations, which reduces the likelihood of exploitation. Red Hat severity: Moderate — CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Weakness: CWE-79.
Mitigation checklist
- Do not enable showdown's completeHTMLDocument option when processing untrusted markdown input. If the option is required, sanitize metadata values before passing them to the converter.
Official advisory · high-confidence parse· fetched 21 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.