CVE-2025-64501

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64501

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64501.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64501

Aliases

GHSA-52c5-vh7f-26fx

Published

2025-11-10T21:37:01Z

Modified

2025-11-14T19:41:29.604768Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

ProsemirrorToHtml: Cross-Site Scripting vulnerability through unescaped HTML attribute values

Details

ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use prosemirror_to_html to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/etaminstudio/prosemirror_to_html

Affected ranges

Type: GIT
Repo: https://github.com/etaminstudio/prosemirror_to_html
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3c5d11693790bbb080c70af2e9ccd85d52050392

Affected versions

v0.*

v0.1.0

v0.2.0