DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5VP3-3CG6-2RQ3: GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml

#security #cve #cybersecurity #ghsa

GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml

Vulnerability ID: GHSA-5VP3-3CG6-2RQ3
CVSS Score: 7.5
Published: 2026-03-24

The Python library justhtml versions prior to 1.13.0 suffer from a Cross-Site Scripting (XSS) vulnerability due to improper handling of HTML <pre> elements during Markdown serialization. This flaw permits attackers to break out of generated Markdown code blocks and execute arbitrary JavaScript when the output is processed by downstream Markdown renderers.

TL;DR

justhtml < 1.13.0 fails to dynamically size backtick fences when serializing 

 tags to Markdown, enabling XSS through code block breakouts.





  
  
  ⚠️ Exploit Status: POC




  
  
  Technical Details
  • CWE ID: CWE-79, CWE-74
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • Impact: Arbitrary JavaScript Execution
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed
  • Affected Component: justhtml.to_markdown()
  • Remediation: Upgrade to >= 1.13.0

Affected Systems

  • Python applications utilizing the justhtml library for HTML to Markdown serialization
  • Content Management Systems (CMS) relying on justhtml for user content processing
  • Applications passing justhtml output directly into Markdown-to-HTML engines like GFM or CommonMark
  • justhtml: < 1.13.0 (Fixed in: 1.13.0)

Code Analysis

Commit: f35f8f7

Fix: Calculate dynamic backtick fence length for pre tags

Exploit Details

  • Security Research PoC: Proof of concept demonstrating the Markdown code block breakout using backticks inside a pre element.

Mitigation Strategies

  • Upgrade justhtml to version 1.13.0 or higher.
  • Implement secondary HTML sanitization on the output of the Markdown renderer.
  • Configure the downstream Markdown parser to strictly disable raw HTML rendering.
  • Deploy a robust Content Security Policy (CSP) to restrict inline JavaScript execution.

Remediation Steps:

  1. Identify all projects utilizing the justhtml library.
  2. Update the dependency requirements in requirements.txt or pyproject.toml to specify justhtml>=1.13.0.
  3. Execute package manager updates (e.g., pip install --upgrade justhtml).
  4. Verify the fix by running the provided PoC payload against the updated application.
  5. Review downstream Markdown rendering configurations to ensure strict compliance with security best practices.

References

Read the full report for GHSA-5VP3-3CG6-2RQ3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)