CVE-2025-64501 Overview
CVE-2025-64501 is a Cross-Site Scripting (XSS) vulnerability in the prosemirror_to_html Ruby gem, a JSON-to-HTML converter for ProseMirror-compatible documents. Versions 0.2.0 and below fail to escape HTML attribute values during conversion. While tag content is properly escaped, attribute values pass through unchanged, allowing attackers to inject arbitrary JavaScript through crafted ProseMirror JSON. The flaw is classified as [CWE-79]. Any application that converts user-supplied ProseMirror content to HTML using this gem exposes end users viewing the rendered output to script execution. The maintainer released a fix in version 0.2.1.
Critical Impact
Attackers can inject JavaScript into rendered HTML through unescaped attribute values, enabling session theft, account takeover, and arbitrary actions in the victim's browser context.
Affected Products
- prosemirror_to_html Ruby gem versions 0.2.0 and below
- Ruby applications converting user-generated ProseMirror JSON to HTML
- End users rendering output produced by vulnerable versions of the gem
Discovery Timeline
- 2025-11-10 - CVE-2025-64501 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64501
Vulnerability Analysis
The prosemirror_to_html gem walks a ProseMirror JSON document tree and serializes each node to HTML. During serialization, the library iterates over node attributes and concatenates them directly into the output string. Tag bodies receive HTML escaping, but attribute values do not. An attacker who controls any attribute in the source JSON can break out of the attribute context and inject event handlers such as onerror, onmouseover, or onclick containing JavaScript. Because rendered HTML executes in the origin of the hosting application, successful injection yields full DOM access, including cookies not marked HttpOnly, session tokens stored in localStorage, and CSRF tokens embedded in the page.
Root Cause
The vulnerable code path concatenates raw attribute values into the output without calling any escaping routine. The fix introduces CGI.escapeHTML on every attribute value before interpolation, ensuring characters such as ", <, >, and & are encoded.
Attack Vector
Exploitation requires an attacker to supply ProseMirror JSON containing a node attribute with a malicious value, for example a link href or an image alt set to " onerror=alert(1) x=". When a victim loads a page rendering this content, the browser parses the injected handler and executes the attacker's script. User interaction (UI:R) is required to view the rendered page, and the privileges required are low because most platforms accept content from authenticated low-privilege users.
# Patch applied in lib/prosemirror_to_html.rb (version 0.2.1)
attrs = ''
if tag&.attrs
tag.attrs.each_pair do |attr, value|
- attrs << " #{attr}=\"#{value}\""
+ escaped_value = CGI.escapeHTML(value.to_s)
+ attrs << " #{attr}=\"#{escaped_value}\""
end
end
Source: GitHub commit 4d59f94
Detection Methods for CVE-2025-64501
Indicators of Compromise
- Rendered HTML containing event handler attributes such as onerror=, onmouseover=, or onload= inside fields sourced from user-supplied ProseMirror documents.
- Outbound requests from end-user browsers to attacker-controlled domains shortly after viewing user-generated content pages.
- ProseMirror JSON in application storage where attribute values include quote characters, angle brackets, or javascript: URIs.
Detection Strategies
- Audit Gemfile.lock across Ruby projects for prosemirror_to_html at version 0.2.0 or below.
- Implement Content Security Policy (CSP) violation reporting and review reports referencing inline script execution on content rendering routes.
- Add regression tests that submit ProseMirror nodes containing attributes with " and < characters and assert the output is encoded.
Monitoring Recommendations
- Log and alert on anomalous JavaScript errors or CSP violations originating from pages that render ProseMirror content.
- Monitor web application firewall logs for ProseMirror JSON payloads containing HTML metacharacters in attribute fields.
- Track outbound DNS and HTTP requests from authenticated user sessions to newly registered or low-reputation domains.
How to Mitigate CVE-2025-64501
Immediate Actions Required
- Upgrade prosemirror_to_html to version 0.2.1 or later in all Ruby applications.
- Rebuild and redeploy any container images or artifacts that bundled the vulnerable gem.
- Invalidate active sessions if exploitation is suspected, as injected scripts may have exfiltrated session cookies.
Patch Information
The vendor released version 0.2.1 containing the fix. The patch applies CGI.escapeHTML to every attribute value before serialization. Review the GitHub Security Advisory GHSA-52c5-vh7f-26fx and the upstream commit for full details.
Workarounds
- Sanitize ProseMirror JSON before conversion by stripping or encoding attribute values containing HTML metacharacters.
- Pass converted output through a server-side HTML sanitizer such as Loofah or sanitize before sending it to clients.
- Deploy a strict Content Security Policy that blocks inline event handlers and disallows unsafe-inline script sources.
# Update the gem to the patched version
bundle update prosemirror_to_html --conservative
# Verify the installed version is 0.2.1 or later
bundle show prosemirror_to_html
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

