CVE-2023-34245: 
JavaScript vulnerability analysis and mitigation

@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. The vulnerability (CVE-2023-34245) was discovered in versions prior to 20.0.0, where the link plugin and link UI component did not properly sanitize URLs to prevent the use of the javascript: scheme. This allowed malicious JavaScript URLs to be inserted into the Plate editor through various means, including opening or pasting malicious content (GitHub Advisory).

The vulnerability stems from insufficient URL sanitization in the link handling components. The affected versions did not validate URL schemes before rendering them to the DOM, allowing potentially malicious JavaScript URLs to be executed. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the user's browser when a malicious link is interacted with. This could potentially lead to data theft, session hijacking, or other client-side attacks. The high CVSS score reflects the significant potential impact on both confidentiality and integrity of the affected system (GitHub Advisory).

The vulnerability has been patched in @udecode/plate-link version 20.0.0, which introduces an allowedSchemes option to the link plugin, defaulting to ['http', 'https', 'mailto', 'tel']. URLs using schemes not in this list will not be rendered to the DOM. For users unable to upgrade, the recommended workaround is to override the LinkElement and PlateFloatingLink components with implementations that explicitly check the URL scheme before rendering any anchor elements (GitHub Advisory).