The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.
Who is impacted:
- Any application using prosemirror_to_html to convert ProseMirror documents to HTML
- Applications that process user-generated ProseMirror content are at highest risk
- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers
Attack vectors include:
- href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
- Event handlers: <div onclick="maliciousCode()">
- onerror attributes on images: <img src=x onerror="alert('XSS')">
- Other HTML attributes that can execute JavaScript
A fix is currently in development. Users should upgrade to version 0.2.1 or later once released.
The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.
Until a patched version is available, users can implement one or more of these mitigations:
html = ProsemirrorToHtml.render(document)
safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)
Content-Security-Policy: default-src 'self'; script-src 'self'
| Score | Percentile |
|---|---|
| 0.02% | 6.08% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.6 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-52c5-vh7f-26fx ↗ |
| CVE | CVE-2025-64501 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rubygems | prosemirror_to_html | < 0.2.1 | 0.2.1 | — |