CVE-2025-25299

Description

### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. This vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled. ### Patches The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above). ### For more information Email us at [[email protected]](mailto:[email protected]) if you have any questions or comments about this advisory.

How to fix CVE-2025-25299

To remediate CVE-2025-25299, upgrade the affected package to a fixed version below.

• —upgrade to 44.2.1 or later
• —upgrade to 44.2.1 or later

Is CVE-2025-25299 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 42.0.0, < 44.2.1
• >= 41.3.0, < 44.2.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-25299
• PATCHgithub.com/ckeditor/ckeditor5
• WEBckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html
• WEBckeditor.com