CVE-2025-64501

Name of the Vulnerable Software and Affected Versions ProsemirrorToHtml versions 0.2.0 and below

Description The prosemirror to html gem contains a flaw that allows for Cross-Site Scripting (XSS) attacks. This is due to improper handling of HTML attribute values during the conversion of ProseMirror-compatible JSON to HTML. While the content of HTML tags is correctly escaped, attribute values are not, enabling attackers to inject arbitrary JavaScript code. Applications utilizing prosemirror to html to convert ProseMirror documents to HTML, particularly those handling user-generated content, and end users viewing the resulting HTML output are potentially at risk.

Recommendations Update to version 0.2.1 or later.