Cross-Site Scripting Vulnerability in ProseMirrorToHtml by etaminstudio
CVE-2025-64501

7.6HIGH

Key Information:

Vendor: Etaminstudio
Status: Prosemirror To Html
Vendor: CVE Published:; 10 November 2025

🔔 Create Etaminstudio Vulnerability Alert

What is CVE-2025-64501?

The ProsemirrorToHtml JSON converter, used for transforming ProseMirror-compatible JSON into HTML, is vulnerable to Cross-Site Scripting (XSS) attacks in versions 0.2.0 and earlier. This vulnerability arises due to insecure handling of attribute values within HTML output, allowing attackers to inject malicious JavaScript through these values. Although the content within tags is correctly escaped, the lack of escaping in attribute values presents a significant security risk. Affected applications that convert user-generated ProseMirror content to HTML and end users viewing this content may be at risk. The issue has been addressed in version 0.2.1.

Affected Version(s)

prosemirror_to_html < 0.2.1

References

https://github.com/etaminstudio/prosemirror_to_html/secur...

x_refsource_CONFIRM

https://github.com/etaminstudio/prosemirror_to_html/commi...

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Nov 5, 2025

JSON