[Bug]: Arbitrary code execution in Markdown mode via Carriage Return (\r) injection

[Tednoob17]

What happened?

An attacker can hide malicious commands in documentation that appear as harmless text in Git UIs but execute with full privileges when run via zx.

How it should work?

The transformMarkdown function in src/md.ts fails to account for all JavaScript line terminators. Specifically, it does not split lines on a standalone Carriage Return (\r).

While zx attempts to comment out prose sections by prepending //, Node.js interprets \r as a newline. This allows code following a \r to "break out" of the comment and execute, even if it is not inside a Markdown code block.

How to reproduce the bug?

node -e "require('fs').writeFileSync('exploit.md', 'Prose text\rconsole.log(\"Vulnerability Confirmed: Code executed outside of block\")')"

<img width="1221" height="753" alt="Image" src="https://github.com/user-attachments/assets/a93d2cb6-02f9-4625-93ab-88510ab86e40" />
<img width="1920" height="1080" alt="Image" src="https://github.com/user-attachments/assets/85122c67-b9dd-4fe2-8c75-543bb8e93192" />

zx exploit.md

Version

8.8.5

What's OS kind?

Linux

What JS runtime is used?

Node.js

Runtime Version

25.6.1

Error stack / relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct

[antongolub]

Maybe it's reasonable to make const DLMTR = /\r?\n/ configurable via flags and pass the value to the md parser.
CC @antonmedv

[antonmedv]

I'm against flags. Why would we need additional flag here?

[antongolub]

What's about setting const DLMTR = /\r?\n|\r|\u2028|\u2029/ and reusing it everywhere?

[Tednoob17]

I think that the best is just to solve it directly in the code , without add a flags ,i already open a PR here : #1404

[antongolub]

https://tc39.es/ecma262/#sec-line-terminators

[Tednoob17]

so what ?