N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4249-gjr8-jpq3

EPSS Score

CWE

CWE-79

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4249-gjr8-jpq3

GHSA-4249-gjr8-jpq3: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

Any application using prosemirror_to_html to convert ProseMirror documents to HTML
Applications that process user-generated ProseMirror content are at highest risk
End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
Event handlers: <div onclick="maliciousCode()">
onerror attributes on images: <img src=x onerror="alert('XSS')">
Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released. The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:

   html = ProsemirrorToHtml.render(document)
   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)

Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:

   Content-Security-Policy: default-src 'self'; script-src 'self'

Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
OWASP XSS Prevention Cheat Sheet

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4249-gjr8-jpq3

GHSA-4249-gjr8-jpq3:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4249-gjr8-jpq3

EPSS Score

CWE

CWE-79

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
prosemirror_to_html	rubygems	< 0.2.1	0.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue within the prosemirror_to_html gem. The root cause is the failure to escape HTML attribute values during the conversion of a ProseMirror document to HTML. The analysis of the patch in commit 4d59f94f550bcabeec30d298791bbdd883298ad8 reveals that the ProsemirrorToHtml::Renderer.render_opening_tag function was directly concatenating raw attribute values from the input JSON into the generated HTML. This allows an attacker to craft a malicious ProseMirror document with payloads like javascript:alert('XSS') in href attributes or onerror handlers on images. When the ProsemirrorToHtml::Renderer.render method is called with this malicious document, it triggers the vulnerable render_opening_tag function, which then produces an HTML output containing executable JavaScript. The patch rectifies this by properly escaping all attribute values using CGI.escapeHTML, preventing the injection and execution of arbitrary scripts.

Vulnerable functions

ProsemirrorToHtml::Renderer.render_opening_tag

lib/prosemirror_to_html.rb

This function is directly responsible for the XSS vulnerability. It constructs HTML tag attributes by iterating over pairs from the input document. Before the patch, it directly embedded the attribute `value` into the returned HTML string without any escaping or sanitization. This allowed an attacker to inject malicious content, such as a 'javascript:' URI in an 'href' attribute, leading to Cross-Site Scripting (XSS). The patch fixes this by using `CGI.escapeHTML` on the attribute value.

ProsemirrorToHtml::Renderer.render

lib/prosemirror_to_html.rb

This is the main public method that initiates the conversion of a ProseMirror JSON document to HTML. An attacker would exploit the vulnerability by supplying a malicious JSON document to this function. While the root cause of the XSS is in `render_opening_tag`, this function is the entry point that receives the malicious input and would appear at the top of a stack trace during exploitation.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4249-gjr8-jpq3: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

Patches

Workarounds

References

GHSA-4249-gjr8-jpq3:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-4249-gjr8-jpq3: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI