Cross-site Scripting Vulnerability in @tiptap/extension-link by ueberdosis
CVE-2025-14284

5.1MEDIUM

Key Information:

Vendor: ueberdosis
Status: @tiptap/extension-link
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-14284?

The @tiptap/extension-link package before version 2.10.4 is susceptible to Cross-site Scripting (XSS) attacks due to inadequate input sanitization. This vulnerability allows attackers to inject malicious JavaScript code via unsanitized link attributes. When the affected links are interacted with by users, the injected code can be executed, potentially compromising the security and integrity of the web application.

Affected Version(s)

@tiptap/extension-link 0 < 2.10.4

References

https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK...

https://gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712...

https://github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Dec 8, 2025

Credit

Thai Do Nhat

JSON