CVE-2025-57665
Description
Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Element Plus Link component (el-link) through 2.10.6 lacks href validation, enabling XSS, phishing, and open redirect via dangerous protocols.
Root
Cause Element Plus's el-link component passes user-supplied values for the href attribute directly to the underlying HTML anchor element without any validation or sanitization [1][3]. The component does not restrict dangerous protocols such as javascript:, data:, or file:, nor does it check for external or malicious destinations [1]. This creates a security abstraction gap where developers may assume the component provides safety, while it merely reflects the raw input.
Exploitation
An attacker can supply a malicious URL as the href prop, for example javascript:alert(1) or a link to an attacker‑controlled phishing site. The component renders this value unchanged into the DOM, allowing the browser to execute script or navigate to the external destination when the link is clicked [1][4]. No authentication or special privileges are required; the attack vector is entirely client‑side and depends only on the application using user‑controlled input in the el-link component.
Impact
Successful exploitation leads to cross‑site scripting (XSS), phishing campaigns, or open redirect attacks [1]. XSS can enable session theft, credential theft, or arbitrary actions in the context of the vulnerable application. Phishing can trick users into entering sensitive information. Open redirects can be used in social engineering or to bypass URL‑based filters.
Mitigation
As of version 2.10.6, the component itself does not implement any security safeguards. The official documentation now includes a security warning advising developers to validate and sanitize URLs before passing them to el-link [4]. The documentation provides a sample sanitizeUrl function that restricts the href to allowed protocols (http:, https:) and returns # for unsafe inputs [4]. Application developers should implement such validation in their code or use a trusted URL library until the component is patched.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
element-plusnpm | <= 2.11.0 | — |
Affected products
2- Element Plus/Link component (el-link)description
Patches
1110d4e1d7e15docs(components): [link] add security warning (#21711)
1 file changed · +24 −0
docs/en-US/component/link.md+24 −0 modified@@ -7,6 +7,30 @@ lang: en-US Text hyperlink +:::warning Security Warning +The `href` prop will be rendered directly to an `<a>` tag. If you pass a value such as `javascript:alert(1)` or a malicious URL, it may cause **XSS** or **open redirect vulnerabilities**. + +Always validate and sanitize the URL before use. For example: + +<details> +<summary>Show code example</summary> + +```js +function sanitizeUrl(url) { + const allowedProtocols = ['http:', 'https:'] + try { + const parsed = new URL(url, window.location.origin) + return allowedProtocols.includes(parsed.protocol) ? parsed.href : '#' + } catch { + return '#' + } +} +``` + +</details> + +::: + ## Basic Basic text link
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-5m5x-9j46-h678ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57665ghsaADVISORY
- element-plus.org/en-US/component/link.htmlghsaWEB
- github.com/element-plus/element-plus/blob/dev/packages/components/link/src/link.vueghsaWEB
- github.com/element-plus/element-plus/commit/110d4e1d7e150ccb829771c7319d31ce777d102fghsaWEB
- github.com/element-plus/element-plus/pull/21711ghsaWEB
- www.npmjs.com/package/element-plusghsaWEB
News mentions
0No linked articles in our index yet.