Vulnerability DatabaseCVE-2023-25572

CVE-2023-25572:
JavaScript vulnerability analysis and mitigation

Overview

The vulnerability CVE-2023-25572 affects react-admin, a frontend framework for building browser applications on top of REST/GraphQL APIs. The vulnerability was discovered in versions prior to 3.19.12 and 4.7.6, and was disclosed on February 13, 2023. The issue specifically affects the RichTextField component, which outputs field values using dangerouslySetInnerHTML without proper client-side sanitization (GitHub Advisory).

Technical details

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 5.4 (Medium severity). The RichTextField component was found to be using dangerouslySetInnerHTML without implementing client-side sanitization, potentially allowing malicious HTML content to be executed if the data wasn't properly sanitized server-side. The vulnerability is tracked as CWE-79, which is a common classification for XSS issues (Snyk).

Impact

All React applications built with react-admin and using the RichTextField component are affected by this vulnerability. If the data isn't sanitized server-side, attackers could potentially execute malicious scripts through cross-site scripting attacks, potentially leading to data theft or session hijacking (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 3.19.12 and 4.7.6, which now use DOMPurify to escape HTML before outputting it with React and dangerouslySetInnerHTML. For users who cannot immediately upgrade, a workaround exists if HTML data is already being sanitized server-side. Alternatively, users can replace the RichTextField with a custom field implementing manual sanitization (GitHub Release, GitHub Release).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66456	CRITICAL	9.1	JavaScript	elysia	No	Yes	Dec 09, 2025
CVE-2025-66457	HIGH	7.5	JavaScript	elysia	No	Yes	Dec 09, 2025
CVE-2025-65849	MEDIUM	6.9	JavaScript	altcha	No	No	Dec 08, 2025
CVE-2025-66202	MEDIUM	6.5	JavaScript	astro	No	Yes	Dec 09, 2025
CVE-2025-14284	MEDIUM	5.1	JavaScript	@tiptap/extension-link	No	Yes	Dec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2023-25572: JavaScript vulnerability analysis and mitigation