GHSA-vfpf-xmwh-8m65: 
Ruby vulnerability analysis and mitigation

The ProsemirrorToHtml gem (version < 0.2.1) contains a Cross-Site Scripting (XSS) vulnerability identified as GHSA-vfpf-xmwh-8m65. The vulnerability was discovered and disclosed on November 7, 2025, affecting applications that use the gem to convert ProseMirror documents to HTML. While the gem properly escapes tag content, it fails to escape HTML attribute values, potentially allowing attackers to inject malicious JavaScript code (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.6 (High severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. The issue stems from improper neutralization of input during web page generation (CWE-79), specifically in the HTML attribute value handling. The vulnerable code is located in the HTML rendering process where attribute values are directly interpolated into the output without proper escaping (GitHub Advisory).

The vulnerability affects any application using prosemirrortohtml to convert ProseMirror documents to HTML, with applications processing user-generated ProseMirror content being at highest risk. Attackers can exploit this vulnerability through various HTML attributes including href attributes with javascript: protocol, event handlers, onerror attributes on images, and other HTML attributes capable of executing JavaScript. When successfully exploited, malicious JavaScript code can be executed in victims' browsers (GitHub Advisory).

A fix is available in version 0.2.1, which implements proper escaping of HTML attribute values using CGI.escapeHTML. Until upgrading is possible, several workarounds are recommended: 1) Implement output sanitization using libraries like Sanitize or Loofah, 2) Add strict Content Security Policy (CSP) headers to prevent inline JavaScript execution, 3) Validate and sanitize ProseMirror documents before conversion (GitHub Advisory).