Home > Vulnerability Database > CVE-2025-66400

Mend.io Vulnerability Database

CVE-2025-66400

Good to know:

Date: December 1, 2025

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Severity Score

5.3

Related Resources (6)

Url: https://github.com/syntax-tree/mdast-util-to-hast

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66400

Url: https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403

Url: https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m

Url: https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7

Url: https://www.mend.io/vulnerability-database/CVE-2025-66400

Severity Score

5.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915

Top Fix

Upgrade Version

Upgrade to version mdast-util-to-hast - 13.2.1;https://github.com/syntax-tree/mdast-util-to-hast.git - 13.2.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66400

Good to know:

Date: December 1, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?