CVE-2022-31175 is a cross-site scripting (XSS) vulnerability identified in CKEditor 5, a widely used JavaScript rich text editor. This vulnerability specifically affects three optional CKEditor 5 packages: @ckeditor/ckeditor5-markdown-gfm, @ckeditor/ckeditor5-html-support, and @ckeditor/ckeditor5-html-embed, in versions prior to 35.0.1. The root cause lies in improper neutralization of input during web page generation, classified under CWE-79. The vulnerability can be triggered under a specific set of conditions: first, the application must use one of the affected packages; for the html-support and html-embed packages, the editor must be configured to allow unsafe markup; second, the editor instance must be destroyed; and third, the editor must be initialized on an element other than a <textarea>. The issue arises from the mechanism that updates the source element with markup from the CKEditor 5 data pipeline after the editor is destroyed, which can lead to execution of arbitrary JavaScript code. This flaw is particularly relevant for integrators who rely on dynamic editor initialization and destruction and use Markdown, General HTML Support, or HTML embed features. The vulnerability has been patched in version 35.0.1, and no known workarounds exist. There are no known exploits in the wild as of the published date, and the vulnerability is rated medium severity by the vendor. The attack requires specific configuration and usage patterns, limiting its scope but still posing a risk to affected deployments.

For European organizations, the impact of this vulnerability can vary depending on the extent to which CKEditor 5 with the affected packages is integrated into their web applications, especially those that allow dynamic editor lifecycle management and unsafe markup configurations. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. This can compromise confidentiality and integrity of user data and may also affect availability if exploited to inject disruptive scripts. Organizations in sectors with high reliance on web-based content management systems, such as media, education, government portals, and e-commerce, could face reputational damage and regulatory consequences under GDPR if personal data is compromised. However, the requirement for specific configurations and the absence of known exploits reduce the immediate widespread risk. Still, targeted attacks against organizations using vulnerable CKEditor 5 versions with the affected packages and configurations remain a concern.

To mitigate this vulnerability, European organizations should prioritize upgrading all CKEditor 5 instances to version 35.0.1 or later, which contains the official patch. Since no workarounds exist, patching is the primary defense. Additionally, organizations should audit their use of CKEditor 5 to identify whether any of the affected packages (@ckeditor/ckeditor5-markdown-gfm, @ckeditor/ckeditor5-html-support, @ckeditor/ckeditor5-html-embed) are in use, and verify if configurations allow unsafe markup, which increases risk. Where possible, avoid using unsafe markup configurations or restrict them to trusted users only. Review and limit dynamic initialization and destruction of editor instances, especially on elements other than <textarea>, to reduce exposure. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct regular security testing, including code reviews and penetration testing focused on rich text editor components. Finally, monitor web application logs for suspicious activity related to editor usage and script execution anomalies.