## XSS Vulnerability in MarkdownRenderer Exposes Wiki to Script Injection via rehype-raw and Loose Mermaid Configuration
A critical cross-site scripting vulnerability has been identified in the MarkdownRenderer component, potentially allowing users with wiki edit access to inject arbitrary JavaScript into the application. The flaw stems from two compounding misconfigurations: the component relies on `rehype-raw`, a plugin that passthough renders raw HTML embedded in markdown without sanitization, while the integrated Mermaid diagram renderer operates with `securityLevel` set to `"loose"` — a setting that explicitly permits potentially dangerous operations including DOM manipulation and script execution.

The affected code resides in `frontend/src/components/common/MarkdownRenderer.tsx`, specifically at lines 7 and 57–58. Under normal conditions, a markdown renderer should sanitize all HTML before rendering to prevent injection attacks. However, `rehype-raw` circumvents this protection by treating embedded HTML as trusted content. When combined with Mermaid's loose security mode, an attacker with wiki edit privileges could craft markdown containing `<script>` tags or malicious `onclick` event handlers that execute in the browsers of any user viewing the rendered page.

The vulnerability carries significant implications for any platform where wiki content is user-generated. Session hijacking, credential theft, and蠕虫传播 represent realistic attack vectors if exploitation occurs at scale. Security researchers reviewing the issue have outlined a remediation path: remove `rehype-raw` from the rehype plugin chain unless absolutely necessary for functionality; if raw HTML support is required, insert `rehype-sanitize` with a strict allowlist; change the Mermaid `securityLevel` from `"loose"` to `"strict"`; and replace direct `innerHTML` assignments with `dangerouslySetInnerHTML` only after sanitization passes. Organizations running this codebase should treat this as a high-priority patch cycle item.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: xss, vulnerability, rehype-raw, mermaid, security
- **Credibility**: unverified
- **Published**: 2026-04-29 21:54:09
- **ID**: 78349
- **URL**: https://whisperx.ai/en/intel/78349