CVE-2025-58064

描述

### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects **only** installations where the editor configuration meets one of the following criteria: - [HTML embed plugin](https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html) is enabled - Custom plugin introducing editable element which implements view [`RawElement`](https://ckeditor.com/docs/ckeditor5/latest/api/module_engine_view_rawelement-ViewRawElement.html) is enabled ### Patches The problem has been recognized and patched. The fix will be available in version 46.0.3 (and above), and explicitly in version 45.2.2. ### For more information Email us at [[email protected]](mailto:[email protected]) if you have any questions or comments about this advisory.

受影響套件(2)

• npm/ckeditor5>= 46.0.0, < 46.0.3
• npm/@ckeditor/ckeditor5-clipboard>= 44.2.0, < 45.2.2

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58064
• PATCHhttps://github.com/ckeditor/ckeditor5
• WEBhttps://github.com/ckeditor/ckeditor5/commit/b210e90c6cf84e662ef6c7daf93a92355a961bf2
• WEBhttps://github.com/ckeditor/ckeditor5/security/advisories/GHSA-x9gp-vjh6-3wv6