Arbitrary JavaScript Code Execution in MDC by Nuxt Modules
CVE-2025-24981

9.3CRITICAL

Key Information:

Vendor
Nuxt-modules
Status
Mdc
Vendor
CVE Published:
6 February 2025

Summary

MDC, a tool designed for Markdown document creation within Vue components, contains a vulnerability that allows arbitrary JavaScript execution due to improper parsing logic in handling URLs in markdown content. The issue arises from a bypass of security measures that are intended to filter out potentially harmful javascript: protocol schemes. Attackers can exploit this flaw by encoding JavaScript URLs using hex strings, enabling them to craft malicious anchor links. This can affect users consuming untrusted Markdown input, leading to potential cross-site scripting (XSS) attacks. The vulnerability has been rectified in version 0.13.3, and users are strongly urged to update their deployments, as no workarounds are available.

Affected Version(s)

mdc < 0.13.3

References

https://github.com/nuxt-modules/mdc/security/advisories/G...
x_refsource_CONFIRM
https://github.com/nuxt-modules/mdc/commit/99097738b55616...
x_refsource_MISC
https://github.com/nuxt-modules/mdc/blob/main/src/runtime...
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-24981 : Arbitrary JavaScript Code Execution in MDC by Nuxt Modules | SecurityVulnerability.io