CVE-2025-25299: Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package
During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users’ positions within the document.
References
- ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html?docId=ee1dca024c9b4e44aef039f99ebe6c664
- github.com/advisories/GHSA-j3mm-wmfm-mwvh
- github.com/ckeditor/ckeditor5
- github.com/ckeditor/ckeditor5/security/advisories/GHSA-j3mm-wmfm-mwvh
- nvd.nist.gov/vuln/detail/CVE-2025-25299
Code Behaviors & Features
Detect and mitigate CVE-2025-25299 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →