CVE-2025-57665: 
JavaScript vulnerability analysis and mitigation

Element Plus Link component (el-link) through version 2.10.6 contains a security vulnerability due to insufficient input validation for the href attribute. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers (NVD). This vulnerability was discovered and disclosed on September 9, 2025.

The vulnerability stems from a security abstraction gap that obscures URL-based attack vectors. The component fails to implement proper validation or sanitization of user-controlled href values before passing them directly to anchor elements. This creates potential attack paths using dangerous protocols like javascript:, data:, or file: schemes (NVD, Element Plus Docs).

The vulnerability enables several types of attacks including cross-site scripting (XSS), phishing campaigns, and open redirect exploits that could affect applications using Element Plus Link components with user-controlled or untrusted URL inputs. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation (NVD).

Developers should implement URL validation and sanitization before passing values to the href attribute. A recommended approach is to validate URLs against an allowlist of safe protocols and sanitize the input. Example mitigation code has been added to the Element Plus documentation showing how to properly validate URLs using a sanitizeUrl function that checks for allowed protocols like http: and https: (Element Plus Docs, Element Plus PR).

The Element Plus team responded by adding explicit security warnings to their documentation and providing example code for URL validation. The changes were merged via pull request #21711, which generated significant discussion around the proper balance between security and functionality in component libraries (Element Plus PR).