CVE-2025-58064: 
JavaScript vulnerability analysis and mitigation

CKEditor 5, a modern JavaScript rich-text editor with an MVC architecture, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2025-58064) affecting versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 of both ckeditor5 and ckeditor5-clipboard packages. The vulnerability was discovered and disclosed on September 3, 2025 (GitHub Advisory).

The vulnerability exists in the clipboard package and could be triggered by specific user actions that could lead to unauthorized JavaScript code execution. This occurs when an attacker manages to insert malicious content into the editor under specific configuration conditions. The vulnerability specifically affects installations where either the HTML embed plugin is enabled or there is a custom plugin introducing an editable element where view RawElement is enabled (GitHub Advisory). The issue has been assigned a CVSS 4.0 score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N (NVD).

The vulnerability could allow attackers to execute unauthorized JavaScript code through the editor when specific configuration conditions are met. This could potentially lead to cross-site scripting attacks in applications using affected versions of CKEditor 5 (GitHub Advisory).

The vulnerability has been patched in versions 45.2.2 and 46.0.3 of both ckeditor5 and ckeditor5-clipboard packages. Users are advised to upgrade to these or later versions to address the security issue (GitHub Advisory, NVD).