CVE-2025-64501 is a Cross-Site Scripting (XSS) vulnerability identified in the etaminstudio prosemirror_to_html Ruby gem, specifically in versions prior to 0.2.1. This gem converts ProseMirror-compatible JSON documents into HTML. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where HTML attribute values are not properly escaped, although tag content is correctly handled. This flaw allows an attacker to inject malicious JavaScript code via crafted attribute values in the ProseMirror JSON input. When the vulnerable gem processes this input and outputs HTML, the injected script can execute in the context of the user's browser. This can lead to theft of sensitive information, session hijacking, or other malicious actions. The vulnerability requires network access (AV:N), low attack complexity (AC:L), privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability can affect components beyond the vulnerable module. Confidentiality impact is high, integrity impact is low, and availability is not affected. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to applications that render user-generated ProseMirror content using this gem. The issue was publicly disclosed on November 10, 2025, and fixed in version 0.2.1 of the gem.

For European organizations, this vulnerability can lead to significant risks including unauthorized disclosure of sensitive data, session hijacking, and potential compromise of user accounts or administrative functions if exploited. Organizations that use the prosemirror_to_html gem in web applications—particularly those that allow users to submit or edit content using ProseMirror editors—are vulnerable. The attack can be triggered remotely without requiring local access, increasing the threat surface. The confidentiality impact is high because attackers can execute arbitrary JavaScript, potentially stealing cookies, tokens, or other sensitive data. Integrity impact is moderate due to possible manipulation of displayed content or user actions. Availability is not directly impacted. This vulnerability could be leveraged in targeted attacks against European companies in sectors such as finance, media, and technology, where user-generated content is common. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting user data, so exploitation could lead to compliance violations and reputational damage.

The primary mitigation is to upgrade the prosemirror_to_html gem to version 0.2.1 or later, where the vulnerability is fixed. Organizations should audit their codebases and dependencies to identify usage of vulnerable versions. Beyond upgrading, developers should implement strict input validation and sanitization on all user-generated content before processing or rendering. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Additionally, adopting secure coding practices such as output encoding for all HTML attribute values and regular dependency scanning can prevent similar issues. Monitoring web application logs for unusual activity and user reports of suspicious behavior can aid early detection. Finally, educating developers about secure handling of JSON-to-HTML conversions and the risks of improper escaping is recommended.