Miggo Logo
Miggo Vulnerability Database
CVE-2025-3191

CVE-2025-3191: React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-3191
GHSA ID
GHSA-fq5x-7292-2p5r
EPSS Score
0.04923%
CWE
CWE-79
Published
4/4/2025
Updated
4/4/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-draft-wysiwygnpm<= 1.15.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is triggered through the Embedded button functionality in the react-draft-wysiwyg Editor component. Based on the package's architecture and the PoC, the attack flow would involve: 1) handleEmbeddedLink processing the malicious input, 2) addEmbedded creating the iframe element, and 3) render displaying the content. These functions would appear in the call stack during exploitation. The confidence is high for handleEmbeddedLink as it's the primary input handler, and medium for the others as they're involved in the processing chain but might not directly contain the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** r***t-*r**t-wysiwy* *r* vuln*r**l* to *ross-sit* S*riptin* (XSS) vi* t** *m****** *utton w*i** will t**n r*sult in s*vin* t** p*ylo** in t** <i*r*m*> t**.

Reasoning

T** vuln*r**ility is tri***r** t*rou** t** *m****** *utton *un*tion*lity in t** r***t-*r**t-wysiwy* **itor *ompon*nt. **s** on t** p**k***'s *r**it**tur* *n* t** Po*, t** *tt**k *low woul* involv*: *) **n*l**m******Link pro**ssin* t** m*li*ious input