Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVE-2025-66400

Medium

6.9/10

Summary

mdast-util-to-hast is an mdast utility to transform to hast. In versions from 13.x through 13.2.0, multiple (unprefixed) "classnames" could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

References

Advisory
Release Note

Advisory Timeline

Published Dec 01, 2025

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVE-2025-66400

Summary

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS