Miggo Logo

CVE-2025-21610: Trix allows Cross-site Scripting via `javascript:` url in a link

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.15586%
Published
1/3/2025
Updated
1/3/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
trixnpm< 2.1.122.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability exists in href attribute handling within the toolbar controller. The commit adds DOMPurify validation specifically for href attributes in setAttribute, introduces a data-trix-validate-href flag, and adds XSS-specific tests. The pre-patch code lacked proper validation of javascript: URIs in href attributes during link creation/editing, which is directly addressed by the added safeAttribute/isSafeAttribute checks using DOMPurify's validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Trix **itor, v*rsions prior to *.*.**, is vuln*r**l* to XSS w**n p*stin* m*li*ious *o** in t** link *i*l*. ### Imp**t *n *tt**k*r *oul* tri*k t** us*r to *opy&p*st* * m*li*ious `j*v*s*ript:` URL *s * link t**t woul* *x**ut* *r*itr*ry J*v*S*ript

Reasoning

T** *or* vuln*r**ility *xists in *r** *ttri*ut* **n*lin* wit*in t** tool**r *ontroll*r. T** *ommit ***s `*OMPuri*y` v*li**tion sp**i*i**lly *or *r** *ttri*ut*s in `s*t*ttri*ut*`, intro*u**s * **t*-trix-v*li**t*-*r** *l**, *n* ***s XSS-sp**i*i* t*sts.