{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7969", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-07-21T18:41:55.203Z", "datePublished": "2025-08-21T16:40:05.915Z", "dateUpdated": "2025-09-01T17:19:53.496Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "markdown-it", "programFiles": ["lib/renderer.mjs"], "vendor": "markdown-it", "versions": [{"status": "affected", "version": "14.1.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:markdown-it:markdown-it:14.1.0:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS).<p> This vulnerability is associated with program files <tt>lib/renderer.mjs</tt>.</p><p>This issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs.\n\nThis issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-09-01T17:19:53.496Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/fito"}, {"tags": ["product"], "url": "https://github.com/markdown-it/markdown-it"}], "source": {"discovery": "UNKNOWN"}, "tags": ["disputed"], "title": "Markdown-it 14.1.0 - Cross-site scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://fluidattacks.com/advisories/fito", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T17:22:06.168622Z", "id": "CVE-2025-7969", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T17:31:23.103Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-08-25T04:45:43.251Z"}, "references": [{"url": "https://github.com/markdown-it/markdown-it/issues/1122"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/markdown-it/markdown-it/issues/1122"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-08-25T04:45:43.251Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7969", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T17:22:06.168622Z"}}}], "references": [{"url": "https://fluidattacks.com/advisories/fito", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T17:22:08.233Z"}}], "cna": {"tags": ["disputed"], "title": "Markdown-it 14.1.0 - Cross-site scripting (XSS)", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "markdown-it", "product": "markdown-it", "versions": [{"status": "affected", "version": "14.1.0", "versionType": "custom"}], "programFiles": ["lib/renderer.mjs"], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/fito", "tags": ["third-party-advisory"]}, {"url": "https://github.com/markdown-it/markdown-it", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs.\n\nThis issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS).<p> This vulnerability is associated with program files <tt>lib/renderer.mjs</tt>.</p><p>This issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:markdown-it:markdown-it:14.1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-09-01T17:19:53.496Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7969", "state": "PUBLISHED", "dateUpdated": "2025-09-01T17:19:53.496Z", "dateReserved": "2025-07-21T18:41:55.203Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2025-08-21T16:40:05.915Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "help@fluidattacks.com", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs.\n\nThis issue affects markdown-it: 14.1.0. NOTE: the Supplier does not consider this issue to be a vulnerability."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o \"Cross-Site Scripting\") en markdown-it permite la ejecuci\u00f3n de Cross-Site Scripting (XSS). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/renderer.mjs. Este problema afecta a Markdown-it: 14.1.0."}], "id": "CVE-2025-7969", "lastModified": "2025-09-01T18:15:29.333", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2025-08-21T17:15:32.893", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/advisories/fito"}, {"source": "help@fluidattacks.com", "url": "https://github.com/markdown-it/markdown-it"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/markdown-it/markdown-it/issues/1122"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://fluidattacks.com/advisories/fito"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}

{"bugzilla": {"description": "markdown-it: Markdown-it Cross-site scripting", "id": "2390127", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390127"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-7969", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces-tech-preview/idea-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-08-21T16:40:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-7969\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-7969\nhttps://fluidattacks.com/advisories/fito\nhttps://github.com/markdown-it/markdown-it"], "threat_severity": "Moderate"}