GHSA-j3mm-wmfm-mwvh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j3mm-wmfm-mwvh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-j3mm-wmfm-mwvh/GHSA-j3mm-wmfm-mwvh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j3mm-wmfm-mwvh
- Aliases
-
- CVE-2025-25299
- Published
- 2025-02-20T20:16:31Z
- Modified
- 2025-02-20T22:53:45Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package
- Details
-
Impact
During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document.
This vulnerability affects only installations with Real-time collaborative editing enabled.
Patches
The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above).
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
- Database specific
{ "nvd_published_at": "2025-02-20T20:15:46Z", "cwe_ids": [ "CWE-79", "CWE-80" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-02-20T20:16:31Z" }- References
-
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-j3mm-wmfm-mwvh
- https://nvd.nist.gov/vuln/detail/CVE-2025-25299
- https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html
- https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html?docId=ee1dca024c9b4e44aef039f99ebe6c664
- https://github.com/ckeditor/ckeditor5
- https://github.com/ckeditor/ckeditor5/releases/tag/v44.2.1
Affected packages
npm / @ckeditor/ckeditor5-real-time-collaboration
Package
- Name
- @ckeditor/ckeditor5-real-time-collaboration
- View open source insights on deps.dev
- Purl
- pkg:npm/%40ckeditor/ckeditor5-real-time-collaboration
npm / ckeditor5-premium-features
Package
- Name
- ckeditor5-premium-features
- View open source insights on deps.dev
- Purl
- pkg:npm/ckeditor5-premium-features