Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a2da6b72a5f8 · 2025-11-13T23:00:03.000Z
GHSA-4249-gjr8-jpq3 GHSA-pm3x-jrhh-qcr7
diff --git a/advisories/github-reviewed/2025/11/GHSA-4249-gjr8-jpq3/GHSA-4249-gjr8-jpq3.json b/advisories/github-reviewed/2025/11/GHSA-4249-gjr8-jpq3/GHSA-4249-gjr8-jpq3.json
@@ -0,0 +1,71 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4249-gjr8-jpq3",
+  "modified": "2025-11-13T22:59:15Z",
+  "published": "2025-11-13T22:59:15Z",
+  "aliases": [],
+  "summary": "ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values",
+  "details": "### Impact\n\nThe prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.\n\n**Who is impacted:**\n\n- Any application using prosemirror_to_html to convert ProseMirror documents to HTML\n- Applications that process user-generated ProseMirror content are at highest risk\n- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers\n\n**Attack vectors include:**\n\n- `href` attributes with `javascript:` protocol:\n  `<a href=\"javascript:alert(document.cookie)\">`\n- Event handlers: `<div onclick=\"maliciousCode()\">`\n- `onerror` attributes on images: `<img src=x onerror=\"alert('XSS')\">`\n- Other HTML attributes that can execute JavaScript\n\n### Patches\n\nA fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML attribute values using `CGI.escapeHTML` to prevent injection attacks.\n\n### Workarounds\n\nUntil a patched version is available, users can implement one or more of these mitigations:\n\n1. **Sanitize output**: Pass the HTML output through a sanitization\n   library like [Sanitize](https://github.com/rgrove/sanitize) or\n   [Loofah](https://github.com/flavorjones/loofah):\n\n```ruby\n   html = ProsemirrorToHtml.render(document)\n   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)\n```\n\n2. **Implement Content Security Policy (CSP)**: Add strict CSP\n   headers to prevent inline JavaScript execution:\n```\n   Content-Security-Policy: default-src 'self'; script-src 'self'\n```\n\n3. **Input validation**: If possible, validate and sanitize\n   ProseMirror documents before conversion to prevent malicious\n   content from entering the system.\n\n### References\n\n- Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "prosemirror_to_html"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/etaminstudio/prosemirror_to_html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.yml"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-13T22:59:15Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-pm3x-jrhh-qcr7/GHSA-pm3x-jrhh-qcr7.json b/advisories/github-reviewed/2025/11/GHSA-pm3x-jrhh-qcr7/GHSA-pm3x-jrhh-qcr7.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pm3x-jrhh-qcr7",
+  "modified": "2025-11-13T22:58:20Z",
+  "published": "2025-11-13T22:58:20Z",
+  "aliases": [
+    "CVE-2025-64529"
+  ],
+  "summary": "SpiceDB WriteRelationships fails silently if payload is too big",
+  "details": "### Impact\n\nUsers who:\n1. Use the exclusion operator somewhere in their authorization schema.\n1. Have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500.\n1. Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows.\n\nUsers will:\n\n1. Receive a successful response from their `WriteRelationships` call, when in reality that call failed.\n2. Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion.\n\n### Patches\n\nUpgrade to v.145.2.\n\n### Workarounds\n\nSet `--write-relationships-max-updates-per-call` to `1000`.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/authzed/spicedb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.45.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/authzed/spicedb/commit/d0cd103a92cc1915636733fb1d1730c2c7f74851"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/authzed/spicedb"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-13T22:58:20Z",
+    "nvd_published_at": "2025-11-10T23:15:42Z"
+  }
+}
