VYPR
High severity7.6OSV Advisory· Published Nov 10, 2025· Updated Apr 15, 2026

CVE-2025-64501

CVE-2025-64501

Description

ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use prosemirror_to_html to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
prosemirror_to_htmlRubyGems
< 0.2.10.2.1

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.