VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Apr 4, 2025· Updated Apr 29, 2026

CVE-2025-3191

CVE-2025-3191

Description

All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the tag.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
react-draft-wysiwygnpm
<= 1.15.0

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing input validation on the Embedded button's link field allows javascript: URIs to be injected into an iframe src attribute."

Attack vector

An attacker can exploit this by using the editor's Embedded button to input a `javascript:` URI (e.g., `javascript:alert('XSS')`) as the link target [ref_id=1]. The editor fails to filter or reject non-http/https protocols, so the payload is stored in an `

Affected code

The vulnerability resides in the Embedded button handler of the react-draft-wysiwyg editor component. The code does not validate or sanitize the user-supplied link before inserting it into an `

What the fix does

No patch has been published for this vulnerability. The advisory recommends that if the link starts with `javascript:` or any protocol outside `http:` or `https:`, the editor should filter it or refuse to open it [ref_id=1]. Until a fix is released, developers must implement client-side input validation on the Embedded button's link field to reject dangerous URI schemes.

Preconditions

  • inputThe victim must use a browser that executes javascript: URIs in iframe src attributes
  • authThe attacker must have access to the editor's Embedded button (no authentication required)
  • configThe application must render the editor output without additional sanitization

Reproduction

1. Create a React app with the Editor component as shown in the researcher's demo code [ref_id=1]. 2. Run `npm start` and navigate to `http://localhost:3000`. 3. Click the **Embedded** button in the toolbar. 4. In the "Enter link" field, input `javascript:alert('XSS')` and click **Add**. 5. Observe that the JavaScript executes in the context of localhost:3000, and the payload is stored in an `

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.