CVE-2025-64501
Description
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use prosemirror_to_html to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prosemirror_to_htmlRubyGems | < 0.2.1 | 0.2.1 |
Affected products
2- Range: v0.1.0, v0.2.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-52c5-vh7f-26fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64501ghsaADVISORY
- github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rbghsaWEB
- github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8nvdWEB
- github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fxnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/CVE-2025-64501.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.ymlghsaWEB
News mentions
0No linked articles in our index yet.