CVE-2024-43411
Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor 4.22+ has a theoretical XSS risk if the cke4.ckeditor.com domain is compromised; patched in 4.25.0-lts.
Vulnerability
Overview
CVE-2024-43411 describes a theoretical cross-site scripting (XSS) vulnerability in CKEditor 4, version 4.22 and later. The issue arises from the editor's version notification feature, which makes a request to https://cke4.ckeditor.com to check for updates [1][2]. If an attacker were to gain control over that domain, they could manipulate the response to inject malicious content that would be parsed and executed within the editor's instance [4].
Exploitation
Conditions
The attack is conditional on a highly unlikely scenario: the attacker must first compromise the cke4.ckeditor.com domain [2]. Additionally, the version notification feature must be enabled in the editor. This feature is disabled by default in all CKEditor 4 LTS (Long Term Support) versions, significantly reducing the real-world risk for users of those editions [1][4]. The vulnerability is purely hypothetical, but it was addressed to align with security best practices [4].
Impact
If the prerequisites are met, an attacker could execute arbitrary JavaScript in the context of a user's browser when the editor loads the version check response. This could lead to XSS attacks, potentially compromising data or user sessions. However, the impact is considered low (CVSS 3.1 base score: 3.1) due to the extreme difficulty of domain takeover and the default-disabled nature of the vulnerable feature [2].
Mitigation
The fix is included in CKEditor 4 version 4.25.0-lts [4]. Users are advised to update to this version or ensure that the version notification feature remains disabled. Since CKEditor 4 open source reached end-of-life on June 30, 2023, users of the open-source version should consider upgrading to CKEditor 5 or obtaining a CKEditor 4 LTS license for continued security support [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | >= 4.22.0, < 4.25.0 | 4.25.0 |
Affected products
2Patches
282796d03d0ebb5069c9cb769Merge pull request #36 from cksource/update-version-check
1 file changed · +24 −17
core/ckeditor_version-check.js+24 −17 modified@@ -52,18 +52,20 @@ try { var request = new XMLHttpRequest(), - requestUrl = apiUrl + '?v=' + encodeURIComponent( versionInfo.current.original ); + requestUrl = apiUrl + '?v=' + encodeURIComponent( versionInfo.current.name ); request.onreadystatechange = function() { if ( request.readyState === 4 && request.status === 200 ) { - var response = JSON.parse( request.responseText ); + try { + var response = JSON.parse( request.responseText ); - versionInfo.latest = parseVersion( response.latestVersion ); - versionInfo.secure = parseVersion( response.secureVersion ); - versionInfo.isLatest = isLatestVersion(); - versionInfo.isSecure = isSecureVersion(); + versionInfo.latest = parseVersion( response.latestVersion ); + versionInfo.secure = parseVersion( response.secureVersion ); + versionInfo.isLatest = isLatestVersion(); + versionInfo.isSecure = isSecureVersion(); - callback(); + callback(); + } catch ( e ) {} } }; @@ -79,8 +81,8 @@ return; } - var notificationMessage = editor.lang.versionCheck.notificationMessage.replace( '%current', versionInfo.current.original ). - replace( '%latest', versionInfo.latest.original ). + var notificationMessage = editor.lang.versionCheck.notificationMessage.replace( '%current', versionInfo.current.name ). + replace( '%latest', versionInfo.latest.name ). replace( /%link/g, upgradeLink ), isNotificationAvailable = 'notification' in editor.plugins; @@ -102,8 +104,8 @@ consoleErrorDisplayed = true; - var consoleMessage = editor.lang.versionCheck.consoleMessage.replace( '%current', versionInfo.current.original ). - replace( '%latest', versionInfo.latest.original ). + var consoleMessage = editor.lang.versionCheck.consoleMessage.replace( '%current', versionInfo.current.name ). + replace( '%latest', versionInfo.latest.name ). replace( /%link/g, upgradeLink ); console.error( consoleMessage ); @@ -133,8 +135,8 @@ msg = lang.aboutDialogInsecureMessage; } - return msg.replace( '%current', versionInfo.current.original ). - replace( '%latest', versionInfo.latest.original ). + return msg.replace( '%current', versionInfo.current.name ). + replace( '%latest', versionInfo.latest.name ). replace( /%link/g, upgradeLink ); } @@ -166,12 +168,17 @@ return null; } + var minor = parseInt( parts[ 1 ] ), + patch = parseInt( parts[ 2 ] ), + isIts = !!parts[ 3 ], + name = '4.' + minor + '.' + patch + ( isIts ? '-lts' : '' ); + return { - original: version, + name: name, major: 4, - minor: Number( parts[ 1 ] ), - patch: Number( parts[ 2 ] ), - isLts: !!parts[ 3 ] + minor: minor, + patch: patch, + isLts: isIts }; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.