Summary
Pulsar’s markdown-preview package relies on an outdated version of DOMPurify (v2.0.17), which is vulnerable to a known XSS bypass (CVE-2024-47875). This allows attackers to inject and execute arbitrary JavaScript in the markdown preview feature.
Details
Since markdown-preview renders user-controlled Markdown with DOMPurify, crafted input can bypass sanitization. Furthermore, due to nodeIntegration: true and contextIsolation: false in Pulsar’s Electron config, this XSS leads to RCE.
PoC
Using a crafted payload with deep HTML nesting and an <iframe srcdoc> pointing to a script (e.g., /proc/self/cwd/poc.js), an attacker can trigger execution of arbitrary JavaScript and escalate to system command execution.
Impact
RCE
ixSly Reporter
Summary
Pulsar’s
markdown-previewpackage relies on an outdated version of DOMPurify (v2.0.17), which is vulnerable to a known XSS bypass (CVE-2024-47875). This allows attackers to inject and execute arbitrary JavaScript in the markdown preview feature.Details
Since
markdown-previewrenders user-controlled Markdown with DOMPurify, crafted input can bypass sanitization. Furthermore, due tonodeIntegration: trueandcontextIsolation: falsein Pulsar’s Electron config, this XSS leads to RCE.PoC
Using a crafted payload with deep HTML nesting and an
<iframe srcdoc>pointing to a script (e.g.,/proc/self/cwd/poc.js), an attacker can trigger execution of arbitrary JavaScript and escalate to system command execution.Impact
RCE