Vulnerability Description
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d
- https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c
FAQ
What is CVE-2025-64501?
CVE-2025-64501 is a vulnerability with a CVSS score of 7.6 (HIGH). ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) a...
How severe is CVE-2025-64501?
CVE-2025-64501 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64501?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.