CVE-2025-25299

Name of the Vulnerable Software and Affected Versions CKEditor 5 versions prior to 44.2.1

Description A Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time collaboration package, affecting user markers that represent users' positions within the document. This can lead to unauthorized JavaScript code execution with a very specific editor and token endpoint configuration. The vulnerability affects only installations with Real-time collaborative editing enabled.

Recommendations For versions prior to 44.2.1, update to version 44.2.1 or later to resolve the issue. As a temporary workaround, consider disabling the Real-time collaborative editing feature until the update is applied. Restrict access to the vulnerable user markers to minimize the risk of exploitation. Avoid using specific endpoint configurations that may trigger the vulnerability until the issue is resolved.