Cross-Site Scripting in @toast-ui/editor

Severity:: High

Description

Versions of @toast-ui/editor prior to 2.2.0 are vulnerable to Cross-Site Scripting (XSS). There are multiple bypasses to the package’s built-in XSS sanitization. This may allow attackers to execute arbitrary JavaScript on a victim’s browser.

Recommendation

Update the @toast-ui/editor package to the latest compatible version. Followings are version details:

Affected version(s): < 2.2.0
Patched version(s): 2.2.0

References

GHSA-cr56-66mx-293v
www.npmjs.com
CWE-79
OWASP 2021-A3

Related Issues

tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
Cross site scripting in markdown-to-jsx - CVE-2024-21535
uPlot Prototype Pollution vulnerability - CVE-2024-21489
FUXA local file inclusion vulnerability - CVE-2023-31718

Tags:: npm; @toast-ui/editor

Anything's wrong? Let us know Last updated on April 03, 2023