Description

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.

INFO

Published Date :

2025-12-09T05:00:03.409Z

Last Modified :

2025-12-09T14:59:53.928Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-14284 vulnerability.

Vendors Products
Tiptap
  • Tiptap
  • Tiptap\/extension-link
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-14284.

URL Resource
https://gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712ec6e1f cve-icon cve-icon cve-icon cve-icon
https://github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaed cve-icon cve-icon cve-icon
https://github.com/ueberdosis/tiptap/releases/tag/v2.10.4 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-14284 cve-icon
https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-14284 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact