What is CVE-2025-66400?

### Impact Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown `code` elements appear like the rest of the page. The following markdown: ````markdown ```js xss ``` ```` Would create ` ` If your page then applied `.xss` classes (or listeners in JS), those apply to this element. For more info see ### Patches The bug was patched. When using regular semver, run `npm install`. For exact ranges, make sure to use `13.2.1`. ### Workarounds Update. ### References * bug introduced in https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 * bug fixed in https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

What is the severity of CVE-2025-66400?

CVE-2025-66400 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-66400?

No known public exploits are currently available for CVE-2025-66400.

Is there a patch available for CVE-2025-66400?

Yes, patches are available for CVE-2025-66400. Check the vendor advisories for update instructions.

CVE-2025-66400 - CVE Details, Severity, and Analysis

CVE-2025-66400 - CVE Details, Severity, and Analysis | Strobes VI

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown:

```js&#x20;xss
```

Would create <pre><code class="language-js xss"></code></pre> If your page then applied .xss classes (or listeners in JS), those apply to this element. For more info see https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute

Patches

The bug was patched. When using regular semver, run npm install. For exact ranges, make sure to use 13.2.1.

Workarounds

Update.

References

bug introduced in https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403
bug fixed in https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD