5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21610

GHSA ID

GHSA-j386-3444-qgwg

EPSS Score

0.15586%

CWE

CWE-79

Published

1/3/2025

Updated

1/3/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-21610

CVE-2025-21610: Trix allows Cross-site Scripting via `javascript:` url in a link

The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.

Impact

An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later.

Workarounds

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References

https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

Credits

This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=user

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21610

GHSA ID

GHSA-j386-3444-qgwg

EPSS Score

0.15586%

CWE

CWE-79

Published

1/3/2025

Updated

1/3/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
trix	npm	< 2.1.12	2.1.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability exists in href attribute handling within the toolbar controller. The commit adds DOMPurify validation specifically for href attributes in setAttribute, introduces a data-trix-validate-href flag, and adds XSS-specific tests. The pre-patch code lacked proper validation of javascript: URIs in href attributes during link creation/editing, which is directly addressed by the added safeAttribute/isSafeAttribute checks using DOMPurify's validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Trix **itor, v*rsions prior to *.*.**, is vuln*r**l* to XSS w**n p*stin* m*li*ious *o** in t** link *i*l*. ### Imp**t *n *tt**k*r *oul* tri*k t** us*r to *opy&p*st* * m*li*ious `j*v*s*ript:` URL *s * link t**t woul* *x**ut* *r*itr*ry J*v*S*ript

Reasoning

T** *or* vuln*r**ility *xists in *r** *ttri*ut* **n*lin* wit*in t** tool**r *ontroll*r. T** *ommit ***s `*OMPuri*y` v*li**tion sp**i*i**lly *or *r** *ttri*ut*s in `s*t*ttri*ut*`, intro*u**s * **t*-trix-v*li**t*-*r** *l**, *n* ***s XSS-sp**i*i* t*sts.

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-21610: Trix allows Cross-site Scripting via `javascript:` url in a link

Impact

Patches

Workarounds

References

Credits

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI