XSS Vulnerability in PHP Markdown Parser of League/CommonMark
CVE-2025-46734

6.4MEDIUM

Key Information:

Vendor: ThePHPleague
Status: Commonmark
Vendor: CVE Published:; 5 May 2025

🔔 Create ThePHPleague Vulnerability Alert

What is CVE-2025-46734?

A cross-site scripting (XSS) vulnerability exists in the Attributes extension of the league/commonmark library, allowing remote attackers to embed malicious JavaScript into HTML. This issue affects versions 1.5.0 through 2.6.x, facilitating the injection of unsafe HTML attributes through Markdown syntax. While the library offers configuration options to mitigate XSS attacks, enabling the Attributes Extension may expose users to risks. Version 2.7.0 introduces improvements to address this vulnerability by blocking unsafe attributes and enforcing a whitelist for allowed HTML attributes. To enhance security, it is advised to either upgrade or disable the AttributesExtension for untrusted users, and consider filtering rendered HTML using libraries like HTMLPurifier.

Affected Version(s)

commonmark < 2.7.0

References

https://github.com/thephpleague/commonmark/security/advis...

x_refsource_CONFIRM

https://github.com/thephpleague/commonmark/commit/f0d626c...

x_refsource_MISC

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2025
Vulnerability Reserved
Apr 28, 2025