Tiptap Extension Link
CVE-2025-14284
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 8 npm packages depend on @tiptap/extension-link (8 direct, 1 indirect)
Ecosystem-wide dependent count for version 2.10.4.
DescriptionCVE.org
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
AnalysisAI
Stored cross-site scripting (XSS) in @tiptap/extension-link before version 2.10.4 allows attackers to execute arbitrary JavaScript by injecting javascript: URL payloads into link attributes during link creation or modification. The vulnerability requires user interaction to trigger the payload and impacts the integrity of affected web applications. Publicly available exploit code exists, and a vendor-released patch is available in version 2.10.4.
Technical ContextAI
Tiptap is a popular Vue.js and React editor framework built on ProseMirror. The @tiptap/extension-link extension provides rich link editing functionality. The vulnerability stems from insufficient input validation and sanitization (CWE-79: Improper Neutralization of Input During Web Page Generation) when processing href attributes during link creation or toggle operations. The extension fails to sanitize or validate the href value, allowing attackers to inject javascript: protocol URLs that execute arbitrary code when a user interacts with the malicious link. This is a context-dependent XSS where the payload persistence depends on how the editor state is stored and rendered.
RemediationAI
Upgrade @tiptap/extension-link to version 2.10.4 or later. In package.json, update the dependency specification from any version before 2.10.4 to ^2.10.4 or higher, then run npm install or yarn install to fetch the patched version. For immediate defense-in-depth while awaiting patching, restrict editor access to trusted users only and implement Content Security Policy (CSP) directives that disallow unsafe-inline and script-src to mitigate XSS impact-note that overly restrictive CSP may break editor functionality and requires testing. Additionally, validate and sanitize href attributes at the application layer using a library such as DOMPurify before rendering editor output, and avoid executing or rendering editor state in contexts with elevated privileges. The upstream fix is confirmed in GitHub commit 1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaed and details are available in the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197.
Share
External POC / Exploit Code
Leaving vuln.today