CVE-2025-14284 is a Cross-site Scripting (XSS) vulnerability identified in the @tiptap/extension-link package, a widely used JavaScript extension for managing links within rich text editors. Versions prior to 2.10.4 fail to properly sanitize user input when links are set or toggled, specifically allowing injection of malicious javascript: URL payloads. This unsanitized input can be crafted by an attacker to execute arbitrary JavaScript code in the victim’s browser context once the user interacts with the malicious link. The vulnerability does not require authentication or elevated privileges, but does require user interaction to trigger the payload. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and limited impact on confidentiality and integrity (CI:L, II:L), with no impact on availability. The vulnerability is classified as medium severity with a CVSS score of 5.1. No known exploits have been reported in the wild, but the potential for abuse in web applications that embed this package is significant, especially in environments where user-generated content is common. The lack of sanitization in link attributes can facilitate session hijacking, credential theft, or execution of malicious scripts, undermining user trust and application security. The vulnerability was published on December 9, 2025, and remediation involves upgrading to version 2.10.4 or later where input sanitization is enforced.

For European organizations, this vulnerability poses a risk primarily to web applications that utilize the @tiptap/extension-link package for rich text editing and link management. Exploitation can lead to execution of arbitrary JavaScript in users’ browsers, potentially resulting in session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. This can undermine confidentiality and integrity of user data and may lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches), and financial losses. Organizations in sectors with high reliance on web-based collaboration tools, content management systems, or customer-facing portals that incorporate this package are at elevated risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high user engagement or where social engineering can be leveraged. The medium severity score reflects moderate impact and ease of exploitation, emphasizing the need for timely patching to prevent potential attacks.

European organizations should immediately identify all instances of the @tiptap/extension-link package in their web applications and verify the version in use. Upgrading to version 2.10.4 or later is the primary and most effective mitigation step, as it includes proper input sanitization to prevent XSS payload injection. In addition, organizations should implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of potential XSS attacks. Web application firewalls (WAFs) can be tuned to detect and block suspicious javascript: URL patterns in user inputs. Developers should review and harden input validation and sanitization routines beyond the package level, especially for user-generated content. Security awareness training for users to recognize and avoid interacting with suspicious links can reduce exploitation likelihood. Regular security testing, including automated scanning and manual penetration testing focused on XSS vectors, should be incorporated into the development lifecycle. Monitoring for anomalous user behavior and incident response readiness will help detect and mitigate any exploitation attempts.