The vulnerability CVE-2025-64501 affects the prosemirror_to_html gem, a tool used to convert ProseMirror-compatible JSON documents into HTML. In versions prior to 0.2.1, the gem fails to properly neutralize malicious input within HTML attribute values during the conversion process. While the textual content of tags is correctly escaped to prevent script injection, attribute values remain vulnerable, enabling attackers to embed arbitrary JavaScript code. This improper sanitization constitutes a classic Cross-Site Scripting (CWE-79) flaw. The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring only limited privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) because the injected script can affect other components or users beyond the immediate application context. The impact is high on confidentiality (C:H) due to potential data theft or session hijacking, moderate on integrity (I:L) since injected scripts can manipulate content, and no impact on availability (A:N). Applications that accept user-generated ProseMirror JSON content and render it using the vulnerable gem expose their end users to XSS attacks, potentially leading to credential theft, session hijacking, or unauthorized actions. The vulnerability was publicly disclosed on November 10, 2025, with no known exploits in the wild at the time. The fix is available in version 0.2.1, which properly escapes attribute values to prevent script injection.

For European organizations, this vulnerability poses a significant risk especially to web applications that utilize the prosemirror_to_html gem for rendering user-generated content. Successful exploitation can lead to theft of sensitive user data, session tokens, or unauthorized actions performed on behalf of users, undermining user trust and potentially violating GDPR requirements regarding data protection. The confidentiality breach risk is high, which is critical for sectors handling personal data such as finance, healthcare, and e-commerce. Integrity impact, while lower, can still result in content manipulation or misinformation. Availability is not affected, so denial-of-service is unlikely. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit. Organizations with public-facing web platforms using affected versions are at higher risk, and failure to patch could lead to reputational damage and regulatory penalties under European data protection laws.

European organizations should immediately upgrade the prosemirror_to_html gem to version 0.2.1 or later to ensure proper escaping of HTML attribute values. In addition to patching, developers should implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Input validation and sanitization should be enforced at multiple layers, including server-side validation of ProseMirror JSON inputs before conversion. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting attribute injection vectors. Security teams should conduct code reviews and penetration testing focused on XSS vectors in applications using this gem. User awareness training to recognize phishing attempts can reduce the likelihood of successful exploitation requiring user interaction. Finally, monitoring and logging of web application activity should be enhanced to detect anomalous behavior indicative of exploitation attempts.