Description

Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.

INFO

Published Date :

2025-09-09T00:00:00.000Z

Last Modified :

2025-09-22T15:38:50.451Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-57665 vulnerability.

Vendors Products
Element-plus
  • Element-plus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-57665.

URL Resource
https://element-plus.org/en-US/component/link.html cve-icon cve-icon
https://github.com/element-plus/element-plus cve-icon cve-icon
https://github.com/element-plus/element-plus/blob/dev/packages/components/link/src/link.vue cve-icon cve-icon
https://github.com/element-plus/element-plus/pull/21711 cve-icon cve-icon
https://www.npmjs.com/package/element-plus cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact