🚨 Security alert: Marp Core from v3.0.2 to v3.9.0 and v4.0.0 are vulnerable to XSS (CVE-2024-56510)

[yhatt]

CVE-2024-56510: Marp Core allows XSS by improper neutralization of HTML sanitization

Marp Core from v3.0.2 to v3.9.0 and v4.0.0 are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.

If you are a developer who is using affected version of Marp Core, we are strongly recommended to update into the patched versions as soon as possible: v3.9.1 and v4.0.1.

For details, please check out the security advisory page of Marp Core library: GHSA-x52f-h5g4-8qv5

Workaround

You can mitigate this vulnerability by disabling HTML rendering on html: false constructor option.

const marp = new Marp({ html: false });

Impact on Marp tools

Marp CLI ✅

v4.0.4 and later are using a patched core.

Note

If you have to use the legacy version, you can set --html=false to disable HTML completely.

Marp for VS Code ✅

v3.0.0 and later are using a patched core.

[yhatt]

Currently npm audit has become reported warning if the project is depending on a vulnerable @marp-team/marp-core version. It usually should fix automatically by running npm audit fix.

$ npm audit
# npm audit report

@marp-team/marp-core  4.0.0
Severity: moderate
Marp Core allows XSS by improper neutralization of HTML sanitization - https://github.com/advisories/GHSA-x52f-h5g4-8qv5
fix available via `npm audit fix`
node_modules/@marp-team/marp-core

1 moderate severity vulnerability

To address all issues, run:
  npm audit fix