CVE-2023-34245
@udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme
Description
### Impact Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. ### Patches `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. ### Workarounds If you are unable to update `@udecode/plate-link` to version 20.0.0, we recommend overriding the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.
How to fix CVE-2023-34245
To remediate CVE-2023-34245, upgrade the affected package to a fixed version below.
- —upgrade to 20.0.0 or later
Is CVE-2023-34245 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 20.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |