CVE-2025-25299
Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package
描述
### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. This vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled. ### Patches The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above). ### For more information Email us at [[email protected]](mailto:[email protected]) if you have any questions or comments about this advisory.
如何修補 CVE-2025-25299
要修補 CVE-2025-25299,請將受影響套件升級到下列已修補版本。
- —升級至 44.2.1 或更新版本
- —升級至 44.2.1 或更新版本
CVE-2025-25299 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- >= 42.0.0, < 44.2.1
- >= 41.3.0, < 44.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |