CVE-2025-64501: 
Ruby vulnerability analysis and mitigation

CVE-2025-64501 affects the prosemirrortohtml gem (versions 0.2.0 and below), a JSON converter that transforms ProseMirror-compatible JSON to HTML. The vulnerability was discovered and disclosed in November 2025, exposing applications to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values (GitHub Advisory, NVD).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). While tag content is properly escaped, attribute values are not sanitized, allowing attackers to inject arbitrary JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N (GitHub Advisory).

The vulnerability affects applications using prosemirrortohtml to convert ProseMirror documents to HTML, particularly those processing user-generated content. End users viewing rendered HTML output could have malicious JavaScript executed in their browsers through various attack vectors including href attributes with javascript: protocol and event handlers (GitHub Advisory).

A patch has been released in version 0.2.1 which implements proper escaping of HTML attribute values using CGI.escapeHTML. Until upgrading, users can implement temporary mitigations including: sanitizing output using libraries like Sanitize or Loofah, implementing strict Content Security Policy (CSP) headers to prevent inline JavaScript execution, and validating ProseMirror documents before conversion (GitHub Advisory).