CVE-2025-57665
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-17

Assigner: MITRE

Description
Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-17
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57665
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
element-plus element-plus to 2.10.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2025-57665 affects the Element Plus Link component (el-link) up to version 2.10.6. It arises because the component directly passes user-controlled href attribute values to underlying anchor (<a>) elements without validating the protocol or sanitizing the URL. This lack of input validation allows attackers to inject malicious URLs using dangerous protocols like javascript:, data:, or file:, or redirect users to external malicious sites. This creates risks such as Cross-Site Scripting (XSS) attacks, phishing campaigns, and open redirect exploits in applications using this component with untrusted URL inputs. [1, 2]

Impact Analysis

This vulnerability can impact you by enabling attackers to perform XSS attacks, which can execute malicious scripts in users' browsers, steal sensitive information, or hijack user sessions. It also allows phishing attacks by redirecting users to malicious websites, potentially leading to credential theft or malware infections. Open redirect exploits can undermine user trust and compromise application security, especially if your application uses the Element Plus Link component with user-controlled or untrusted URLs. [1, 2]

Detection Guidance

This vulnerability can be detected by inspecting the usage of the Element Plus Link component (el-link) in your application, specifically checking if user-controlled or untrusted inputs are passed directly to the href attribute without validation or sanitization. There are no specific network detection commands provided. However, you can audit your codebase for el-link components and verify if href values are sanitized. Additionally, you can use browser developer tools to inspect anchor elements rendered by el-link for unsafe protocols such as 'javascript:', 'data:', or 'file:'. No explicit commands are provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include validating and sanitizing all URLs assigned to the href attribute of the el-link component. Use a whitelist approach to allow only safe protocols such as 'http:' and 'https:'. For example, implement a sanitizeUrl function that parses URLs and returns a safe fallback (e.g., '#') if the URL is unsafe or malformed. Additionally, add the attributes rel="noopener noreferrer" to links to prevent tab-nabbing and other attacks. Review and follow the security warning added to the component's documentation to increase awareness. Avoid relying on automatic filtering within the component, and instead enforce URL validation in your application logic. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart