CVE-2025-21610

Name of the Vulnerable Software and Affected Versions Trix editor versions prior to 2.1.12

Description Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. The issue arises when pasting malicious code in the link field, allowing an attacker to trick the user into copying and pasting a malicious javascript: URL as a link. This could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions or sensitive information disclosure.

Recommendations Upgrade to Trix editor version 2.1.12 or later to receive a patch. As a temporary workaround, consider disallowing browsers that don't support a Content Security Policy (CSP) to minimize the risk of exploitation. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.