VYPR
← All advisories
Medium severityOSV Advisory· Published Sep 15, 2025· Updated Apr 15, 2026

CVE-2025-58172

CVE-2025-58172

Description

drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting (XSS) vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function __drawnix__web__console is invoked, as shown in apps/web/src/app/app.tsx where div.innerHTML = value is executed. This can allow arbitrary JavaScript execution in the context of the application if an attacker can cause untrusted data to be passed to the debug logger (for example via a malicious extension or other injection vector), potentially exposing user data or enabling unauthorized actions. The issue is fixed in version 0.3.0. Updating to 0.3.0 or later is recommended. No known workarounds exist.

Affected products

1

Patches

2
02f5f64b3d85

chore(release): publish 0.3.0

https://github.com/plait-board/drawnixpubuzhixing8Sep 13, 2025via osv
commit
4 files changed · +45 3
  • CHANGELOG.md+42 0 modified
    @@ -1,3 +1,45 @@
+## 0.3.0 (2025-09-13)
+
+
+### 🚀 Features
+
+- **arrow:** support set arrow mark ([#258](https://github.com/plait-board/drawnix/pull/258))
+- **eraser:** implement eraser feature ([#221](https://github.com/plait-board/drawnix/pull/221))
+- **eraser:** adding i18n for eraser ([427a730](https://github.com/plait-board/drawnix/commit/427a730))
+- **eraser:** Improving all the eraser feature mentioned in #247 ([#249](https://github.com/plait-board/drawnix/pull/249), [#247](https://github.com/plait-board/drawnix/issues/247))
+- **eraser:** drawing erasing trail animation effect ([#295](https://github.com/plait-board/drawnix/pull/295))
+- **i18n:** added i18n tool for multi-Language support ([#232](https://github.com/plait-board/drawnix/pull/232))
+- **i18n:** adding i18n for clean confirm ([7bdf543](https://github.com/plait-board/drawnix/commit/7bdf543))
+- **i18n:** refactor the structure of i18n, adding with-common getI18n for plait objects, complete the translation of zh,en,ru ([#276](https://github.com/plait-board/drawnix/pull/276))
+- **i18n:** add Arabic language ([#280](https://github.com/plait-board/drawnix/pull/280))
+- **popup-toolbar:** add stroke select state, add stroke type text ([#272](https://github.com/plait-board/drawnix/pull/272))
+
+### 🩹 Fixes
+
+- fix dockerfile build logic ([#201](https://github.com/plait-board/drawnix/pull/201))
+- **cursor:** set mind element css to always be inherit ([#260](https://github.com/plait-board/drawnix/pull/260))
+- **freehand&i18n:** fix i18n of freehand toolbar and make secondary toolbar always exist while using freehand element ([#255](https://github.com/plait-board/drawnix/pull/255))
+- **frontend:** comment addDebugLog to prevent potential XSS security issue ([#269](https://github.com/plait-board/drawnix/pull/269))
+- **hotkey:** prevent switch arrow creation mode when mod+a #195 ([#200](https://github.com/plait-board/drawnix/pull/200), [#195](https://github.com/plait-board/drawnix/issues/195))
+- **hotkey:** prevent enter arrow creation mode when press a and there are some selected elements ([#205](https://github.com/plait-board/drawnix/pull/205))
+- **hotkey:** Prevent Arc browser undo on Cmd+Z in Drawnix ([#254](https://github.com/plait-board/drawnix/pull/254))
+- **hotkey:** skip creation hotkey when use press special key and the among of alt, meta and ctrl ([#262](https://github.com/plait-board/drawnix/pull/262))
+- **menu:** Adding margin for the menu components ([c9ecd09](https://github.com/plait-board/drawnix/commit/c9ecd09))
+- **menu:** fix hotkey instruction for every OS ([#274](https://github.com/plait-board/drawnix/pull/274))
+- **mind:** bump plait into 0.84.0 to fix text can not show completely mentioned in #208 ([#261](https://github.com/plait-board/drawnix/pull/261), [#208](https://github.com/plait-board/drawnix/issues/208))
+- **toolbar:** fix issue mentioned in #290 ([#291](https://github.com/plait-board/drawnix/pull/291), [#290](https://github.com/plait-board/drawnix/issues/290))
+- **tutorial:** fix tutorial instruction issues and update styles ([#289](https://github.com/plait-board/drawnix/pull/289))
+
+### ❤️  Thank You
+
+- Andy Lu (Lu, Yu-An) @NaoCoding
+- coderwei @coderwei99
+- MalikAli @MalikAliQassem
+- Peter Chen
+- pubuzhixing8 @pubuzhixing8
+- Six
+- vishwak @PATTASWAMY-VISHWAK-YASASHREE
+
 ## 0.2.1 (2025-08-06)
  • packages/drawnix/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@drawnix/drawnix",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "main": "./index.js",
   "types": "./index.d.ts",
   "private": false,
  • packages/react-board/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@plait-board/react-board",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "main": "./index.js",
   "types": "./index.d.ts",
   "private": false,
  • packages/react-text/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@plait-board/react-text",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "main": "./index.js",
   "types": "./index.d.ts",
   "private": false,
92536e63c1ad

fix(frontend): comment addDebugLog to prevent potential XSS security issue (#269)

https://github.com/plait-board/drawnixAndy Lu (Lu, Yu-An)Aug 31, 2025via osv
commit
1 file changed · +2 0
  • apps/web/src/app/app.tsx+2 0 modified
    @@ -52,12 +52,14 @@ export function App() {
       }}
       afterInit={(board) => {
         console.log('board initialized');
+        /*
         console.log(
           `add __drawnix__web__debug_log to window, so you can call add log anywhere, like: window.__drawnix__web__console('some thing')`
         );
         (window as any)['__drawnix__web__console'] = (value: string) => {
           addDebugLog(board, value);
         };
+        */
       }}
     ></Drawnix>
   );

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.