Cross-Site-Scripting attack on `<RichTextField>` (GHSA-5jcr-82fh-339v)
- Severity:
- Medium
Description
All React applications built with react-admin and using the <RichTextField> are affected.
<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.
Recommendation
Update the react-admin package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0, < 4.7.6 < 3.19.12** Patched version(s): **4.7.6 3.19.12**
References
Related Issues
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) - Vulnerability
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- Tags:
- npm
- react-admin
Anything's wrong? Let us know Last updated on February 22, 2023