CVE-2021-39199: 
JavaScript vulnerability analysis and mitigation

remark-html, an open source nodejs library which compiles Markdown to HTML, contained a critical security vulnerability in versions <13.0.2 and 14.0.0. While the documentation claimed the library was safe by default, in practice the default configuration was unsafe and required explicit opt-in for security features. This mismatch between documentation and implementation could lead to arbitrary HTML being passed through, potentially enabling XSS attacks (GitHub Advisory).

The vulnerability stemmed from the library's default configuration not matching its documented security claims. By default, the sanitization feature was disabled, allowing arbitrary HTML to pass through without sanitization. This implementation flaw meant that users following the documentation's default usage pattern were unknowingly exposed to potential security risks. The issue was assigned CVE-2021-39199 and received a Critical severity rating (GitHub Advisory).

The vulnerability could allow attackers to perform cross-site scripting (XSS) attacks by passing arbitrary HTML through the library's processing pipeline. Since the library was commonly used to convert markdown to HTML in web applications, this could lead to client-side code execution in the context of the vulnerable application (GitHub Advisory).

The issue was patched in versions 13.0.2 and 14.0.1, making the library safe by default and aligning the implementation with the documentation. For users unable to upgrade, a workaround was available by explicitly enabling sanitization with the configuration option {sanitize: true} (GitHub Advisory, GitHub Commit).