CVE-2025-64501
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64501
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
prosemirror prosemirror_to_html 0.2.0
prosemirror prosemirror_to_html 0.2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in prosemirror_to_html versions 0.2.0 and below is a Cross-Site Scripting (XSS) issue where malicious HTML attribute values are not properly escaped. While the tag content is escaped, attribute values can contain injected JavaScript code, allowing attackers to execute arbitrary scripts when the HTML is rendered.

Impact Analysis

This vulnerability can allow attackers to inject and execute arbitrary JavaScript code in applications that use prosemirror_to_html to convert ProseMirror JSON to HTML. This can lead to attacks on users viewing the rendered HTML, potentially compromising user data, session tokens, or performing actions on behalf of the user without their consent.

Mitigation Strategies

Upgrade the prosemirror_to_html gem to version 0.2.1 or later, as this version fixes the Cross-Site Scripting (XSS) vulnerability by properly escaping HTML attribute values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart