CVE-2025-58064
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-09-04

Assigner: GitHub, Inc.

Description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and ckeditor5-clipboard versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 contain a Cross-Site Scripting (XSS) vulnerability. Ability to exploit could be triggered by a specific user action (leading to unauthorized JavaScript code execution) if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects installations where the editor configuration meets one of the following criteria: the HTML embed plugin is enabled, or there is a custom plugin introducing an editable element where view RawElement is enabled. This issue is fixed in versions 45.2.2 and 46.0.3 of both ckeditor5 and ckeditor5-clipboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-09-04
Generated
2026-06-16
AI Q&A
2025-09-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58064
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
ckeditor ckeditor5 46.0.0
ckeditor ckeditor5 45.2.0
ckeditor ckeditor5 46.0.2
ckeditor ckeditor5 45.2.2
ckeditor ckeditor5 45.2.1
ckeditor ckeditor5 46.0.3
ckeditor ckeditor5 44.2.0
ckeditor ckeditor5 46.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58064 is a Cross-Site Scripting (XSS) vulnerability in CKEditor 5 clipboard package versions 44.2.0 through 46.0.2. It allows an attacker to execute unauthorized JavaScript code if they manage to insert malicious content into the editor. Exploitation requires a very specific editor configuration where either the HTML embed plugin is enabled or a custom plugin introduces an editable element implementing the view RawElement interface. The vulnerability arises from how raw elements are rendered to plain text, which could lead to script execution. This issue has been fixed in versions 45.2.2 and 46.0.3. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute unauthorized JavaScript code within the CKEditor 5 environment if they can insert malicious content. This could lead to potential security risks such as session hijacking, data theft, or other malicious actions performed through the injected scripts. However, exploitation is limited to specific configurations of the editor, so the risk depends on whether your installation uses the HTML embed plugin or custom raw element plugins. [1, 2]

Detection Guidance

Detection involves verifying if your CKEditor 5 installation uses vulnerable versions (44.2.0 through 46.0.2) and if the editor configuration enables the HTML embed plugin or a custom plugin with editable elements implementing view RawElement. You can check the installed package version using npm commands such as `npm list ckeditor5` or `npm list ckeditor5-clipboard`. Additionally, review your editor configuration files for the presence of the HTML embed plugin or custom raw element plugins. There are no specific network detection commands provided. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade CKEditor 5 and ckeditor5-clipboard packages to versions 46.0.3 or above, or 45.2.2 or above, where the vulnerability is fixed. Also, review your editor configuration to disable the HTML embed plugin or any custom plugins that introduce editable elements implementing view RawElement if upgrading is not immediately possible. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart