GHSA-mq6v-w35g-3c97: 
JavaScript vulnerability analysis and mitigation

A Local File Inclusion (LFI) vulnerability was discovered in zmarkdown, identified as GHSA-mq6v-w35g-3c97, affecting versions prior to 10.1.3. The vulnerability was published on August 31, 2021, and allows attackers to include images with known paths on the host machine inside LaTeX documents. This security issue impacts all users of zmarkdown except those who have disabled LaTeX generation or image downloads (GitHub Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). When processing markdown content, the system would allow images with local file paths to be included in LaTeX documents. For example, an image reference like ![](/tmp/img.png) would cause the system to download and include the image found at /tmp/img.png from the host machine (GitHub Advisory).

The vulnerability allows attackers to include and access images from known paths on the host machine within LaTeX documents. While classified as low severity, this could potentially lead to unauthorized access to local files on the system where zmarkdown is running (GitHub Advisory).

The vulnerability has been patched in version 10.1.3, which introduces a new option to replace invalid paths with a default image instead of linking directly to files on the host. Users are advised to update to this version as soon as possible. Alternative workarounds include disabling image downloading or implementing path sanitization (GitHub Advisory).