CVE-2025-21610: Trix allows Cross-site Scripting via `javascript:` url in a link
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.
References
- gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8
- github.com/advisories/GHSA-j386-3444-qgwg
- github.com/basecamp/trix
- github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa
- github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93
- github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg
- nvd.nist.gov/vuln/detail/CVE-2025-21610
Detect and mitigate CVE-2025-21610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →