CVE-2025-58064
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ckeditor | ckeditor5 | 46.0.0 |
| ckeditor | ckeditor5 | 45.2.0 |
| ckeditor | ckeditor5 | 46.0.2 |
| ckeditor | ckeditor5 | 45.2.2 |
| ckeditor | ckeditor5 | 45.2.1 |
| ckeditor | ckeditor5 | 46.0.3 |
| ckeditor | ckeditor5 | 44.2.0 |
| ckeditor | ckeditor5 | 46.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58064 is a Cross-Site Scripting (XSS) vulnerability in CKEditor 5 clipboard package versions 44.2.0 through 46.0.2. It allows an attacker to execute unauthorized JavaScript code if they manage to insert malicious content into the editor. Exploitation requires a very specific editor configuration where either the HTML embed plugin is enabled or a custom plugin introduces an editable element implementing the view RawElement interface. The vulnerability arises from how raw elements are rendered to plain text, which could lead to script execution. This issue has been fixed in versions 45.2.2 and 46.0.3. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute unauthorized JavaScript code within the CKEditor 5 environment if they can insert malicious content. This could lead to potential security risks such as session hijacking, data theft, or other malicious actions performed through the injected scripts. However, exploitation is limited to specific configurations of the editor, so the risk depends on whether your installation uses the HTML embed plugin or custom raw element plugins. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your CKEditor 5 installation uses vulnerable versions (44.2.0 through 46.0.2) and if the editor configuration enables the HTML embed plugin or a custom plugin with editable elements implementing view RawElement. You can check the installed package version using npm commands such as `npm list ckeditor5` or `npm list ckeditor5-clipboard`. Additionally, review your editor configuration files for the presence of the HTML embed plugin or custom raw element plugins. There are no specific network detection commands provided. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CKEditor 5 and ckeditor5-clipboard packages to versions 46.0.3 or above, or 45.2.2 or above, where the vulnerability is fixed. Also, review your editor configuration to disable the HTML embed plugin or any custom plugins that introduce editable elements implementing view RawElement if upgrading is not immediately possible. [1, 2]