Medium severity6.1NVD Advisory· Published Dec 9, 2025· Updated Apr 29, 2026
CVE-2025-14284
CVE-2025-14284
Description
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@tiptap/extension-linknpm | < 2.10.4 | 2.10.4 |
Affected products
1- cpe:2.3:a:tiptap:tiptap\/extension-link:*:*:*:*:*:node.js:*:*Range: <2.10.4
Patches
21c2fefe3d61aFixed Link extension's commands not respecting XSS prevention via unallowed protocols (#5945)
3 files changed · +32 −3
.changeset/empty-seals-join.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"@tiptap/extension-link": patch +--- + +Added checks for allowed protocols in link commands & exported isValidUri helper for manual checks outside of the extension
demos/src/Marks/Link/React/index.jsx+6 −2 modified@@ -105,8 +105,12 @@ export default () => { } // update link - editor.chain().focus().extendMarkRange('link').setLink({ href: url }) - .run() + try { + editor.chain().focus().extendMarkRange('link').setLink({ href: url }) + .run() + } catch (e) { + alert(e.message) + } }, [editor]) if (!editor) {
packages/extension-link/src/link.ts+21 −1 modified@@ -160,7 +160,7 @@ declare module '@tiptap/core' { // eslint-disable-next-line no-control-regex const ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g -function isAllowedUri(uri: string | undefined, protocols?: LinkOptions['protocols']) { +export function isAllowedUri(uri: string | undefined, protocols?: LinkOptions['protocols']) { const allowedProtocols: string[] = [ 'http', 'https', @@ -322,11 +322,31 @@ export const Link = Mark.create<LinkOptions>({ return { setLink: attributes => ({ chain }) => { + const { href } = attributes + + if (!this.options.isAllowedUri(href, { + defaultValidate: url => !!isAllowedUri(url, this.options.protocols), + protocols: this.options.protocols, + defaultProtocol: this.options.defaultProtocol, + })) { + return false + } + return chain().setMark(this.name, attributes).setMeta('preventAutolink', true).run() }, toggleLink: attributes => ({ chain }) => { + const { href } = attributes + + if (!this.options.isAllowedUri(href, { + defaultValidate: url => !!isAllowedUri(url, this.options.protocols), + protocols: this.options.protocols, + defaultProtocol: this.options.defaultProtocol, + })) { + return false + } + return chain() .toggleMark(this.name, attributes, { extendEmptyMarkRange: true }) .setMeta('preventAutolink', true)
f2afde0773b3Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaednvdPatchWEB
- gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712ec6e1fnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-vhrc-hgrq-x75rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14284ghsaADVISORY
- security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197nvdThird Party AdvisoryWEB
- github.com/ueberdosis/tiptap/releases/tag/v2.10.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.