CVE-2025-54075: 
JavaScript vulnerability analysis and mitigation

CVE-2025-54075 affects MDC, a tool for writing Markdown documents that interact with Vue components. The vulnerability was discovered in versions prior to 0.17.2, where a remote script-inclusion and stored cross-site scripting (XSS) vulnerability allows Markdown authors to inject a base element. The issue was disclosed on July 18, 2025, and affects the @nuxtjs/mdc package (GitHub Advisory, NVD).

The vulnerability exists in the validateProp() function within src/runtime/parser/utils.ts. The function fails to properly validate the 'href' attribute on base tags, allowing them to bypass security checks. The CVSS v3.1 base score is 8.3 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).

When exploited, the vulnerability allows attackers to rewrite how all subsequent relative URLs are resolved, enabling the loading of scripts, styles, or images from external, attacker-controlled origins. This can lead to arbitrary JavaScript execution in the site's context, potentially resulting in full takeover of visitor sessions, credential theft, defacement, phishing, or CSRF attacks (GitHub Advisory).

The issue has been fixed in version 0.17.2. Until patched, users can either disable raw HTML in Markdown or use an external sanitizer like DOMPurify with FORBID_TAGS: ['base']. The fix involves disallowing or sanitizing base tags in the renderer by either stripping them entirely or restricting href attributes to same-origin URLs (GitHub Advisory, GitHub Commit).