Description
The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.9.0, < 1.3.2 >= 2.0.0, < 2.1.1** Patched version(s): **1.3.2 2.1.1**
References
- GHSA-qjqp-xr96-cj99
- discuss.rubyonrails.org
- rubyonrails.org
- CVE-2024-34341
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
- Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on June 03, 2024