CVE-2025-24981: 
JavaScript vulnerability analysis and mitigation

MDC is a tool for writing documents with Vue components using Markdown. A critical vulnerability (CVE-2025-24981) was discovered affecting versions 0.13.2 and earlier, where unsafe URL parsing logic in the markdown processor could lead to arbitrary JavaScript code execution. The vulnerability was disclosed on February 6, 2025, and has been assigned a CVSS score of 9.3 (Critical) (GitHub Advisory).

The vulnerability exists in the URL parsing logic implemented in props.ts, which uses a deny-list approach to filter potentially malicious payloads by matching protocol schemes like 'javascript:'. However, this security mechanism can be bypassed by providing JavaScript URLs with HTML entities encoded via hex strings. The parser fails to properly sanitize these encoded values, allowing attackers to inject malicious JavaScript code (GitHub Advisory, NVD).

Applications that consume this library and perform markdown parsing from unvalidated sources (such as LLM-generated text, user input, or other untrusted data sources) could render vulnerable XSS anchor links. This could lead to arbitrary JavaScript code execution in the context of users' browsers (GitHub Advisory).

The vulnerability has been patched in version 0.13.3. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).