Announcement: About CVE-2021-25987

[SukkaW]

Hexo team is already aware of the CVE-2021-25987, and we have already implemented a fix five months ago (See PR #4743). However, we will not release a minor version including the fix. The fix will be included in the next major version of Hexo (which will be 6.0.0).

The fix (which will enable HTML entities escaping by default) is considered as a breaking change and we notice that it could break many current themes.

Also, you should be aware that Hexo is only a static site generator. It only generates static HTML from the source from your local computer (or your server).

It is impossible for anyone other than you to modify your hexo theme or your blog post without physical access to your computer or login to your server. That's to say, in order to perform an attack based on the CVE-2021-25987, the hacker will have to hack into your computer or your server to modify your blog posts. But if that really happens (your local computer or server being compromised), the hacker can basically do anything anyway.

If you host the source code of your Hexo site on a server and use some kind of web editor (like hexo-editor), it might be possible for hackers to modify your post through such a web editor (without login to your server). We recommend you to use some kind of authentication to protect your web editor (which you should always have even without this CVE. You don't want anybody to modify your post, right?). hexo-editor we mentioned earlier has a built-in username & password configuration in the first day so you will not be affected if you have set a strong password.

In short, the CVE is not a Stored-XSS or a Reflect-XSS. It is a Self-XSS (Your XSS yourself, or a hacker to hack into your computer or server to perform the XSS attack). And your website will work flawlessly and sound even without we release a fix.