Marp Core allows XSS by improper neutralization of HTML sanitization

Severity:: Medium

Description

Marp Core (@marp-team/marp-core) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.

Recommendation

Update the @marp-team/marp-core package to the latest compatible version. Followings are version details:

Affected version(s): **= 4.0.0 >= 3.0.2, <= 3.9.0**
Patched version(s): **4.0.1 3.9.1**

References

GHSA-x52f-h5g4-8qv5
CVE-2024-56510
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
Svelte has a potential mXSS vulnerability due to improper HTML escaping - CVE-2024-45047
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225

Tags:: npm; @marp-team/marp-core

Anything's wrong? Let us know Last updated on December 26, 2024