Description

ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.

INFO

Published Date :

2025-11-10T21:37:01.010Z

Last Modified :

2025-11-12T20:14:32.113Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64501 vulnerability.

Vendors Products
Etaminstudio
  • Prosemirror To Html
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64501.

URL Resource
https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 cve-icon cve-icon
https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact