Description
All React applications built with react-admin and using the <RichTextField> are affected.
<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.
Recommendation
Update the ra-ui-materialui package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.19.12 >= 4.0.0, < 4.7.6** Patched version(s): **3.19.12 4.7.6**
References
Related Issues
- Auth0 NextJS SDK v4 Missing Session Invalidation - CVE-2025-46344
- Potential DoS when using ContextLines integration - Vulnerability
- sanitize-html Information Exposure vulnerability - CVE-2024-21501
- json-schema-ref-parser Prototype Pollution issue - CVE-2024-29651
- Tags:
- npm
- ra-ui-materialui
Anything's wrong? Let us know Last updated on February 22, 2023