CVE-2025-46734

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-46734

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-46734.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-46734

Aliases

GHSA-3527-qv2q-pfvx

Related

UBUNTU-CVE-2025-46734

Published

2025-05-05T20:15:21Z

Modified

2025-05-19T10:05:41.220608Z

Summary

[none]

Details

league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as html_input: 'strip' and allow_unsafe_links: false to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with on are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added href and src attributes now respect the existing allow_unsafe_links configuration option. If upgrading is not feasible, please consider disabling the AttributesExtension for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.

References

Affected packages

Debian:11 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.7-2

1.5.8-1

1.6.2-1

1.6.6-1

1.6.7-1

2.*

2.1.1-1

2.2.0-1

2.2.1-1

2.2.2-1

2.2.3-1

2.3.3-1

2.3.3-2

2.3.3-3

2.3.4-1

2.3.5-1

2.3.6-1

2.3.7-1

2.3.8-1

2.3.9-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.2-2

2.5.0-1

2.5.1-1

2.5.3-1

2.6.0-1

2.6.1-1

2.6.1-2

2.6.2-1

2.7.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.9-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.2-2

2.5.0-1

2.5.1-1

2.5.3-1

2.6.0-1

2.6.1-1

2.6.1-2

2.6.2-1

2.7.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / php-league-commonmark

Package

Name: php-league-commonmark
Purl: pkg:deb/debian/php-league-commonmark?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.0-1

Affected versions

2.*

2.3.9-1

2.4.0-1

2.4.1-1

2.4.2-1

2.4.2-2

2.5.0-1

2.5.1-1

2.5.3-1

2.6.0-1

2.6.1-1

2.6.1-2

2.6.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/thephpleague/commonmark

Affected ranges

Type: GIT
Repo: https://github.com/thephpleague/commonmark
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.10.0

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.14.0

0.15.0

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

0.15.7

0.16.0

0.17.0

0.17.2

0.17.4

0.18.1

0.2.0

0.2.1

0.3.0

0.4.0

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.8.0

0.9.0

2.*

2.0.0

2.0.0-beta1

2.0.0-beta2

2.0.0-beta3

2.0.0-rc1

2.0.0-rc2

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2