DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QMPG-8XG6-PH5Q: GHSA-QMPG-8XG6-PH5Q: Stored Cross-Site Scripting via Sanitizer Bypass in Trix Editor

#security #cve #cybersecurity #ghsa

GHSA-QMPG-8XG6-PH5Q: Stored Cross-Site Scripting via Sanitizer Bypass in Trix Editor

Vulnerability ID: GHSA-QMPG-8XG6-PH5Q
CVSS Score: Unassigned (Moderate)
Published: 2026-03-12

A stored Cross-Site Scripting (XSS) vulnerability exists in the Trix rich text editor, distributed via the trix npm package and the action_text-trix RubyGem. The flaw occurs due to a bypass in the DOMPurify sanitization configuration, where a custom hook improperly whitelists the data-trix-serialized-attributes attribute. This allows an attacker to inject serialized JSON payloads containing malicious JavaScript handlers, which Trix subsequently deserializes and applies directly to the live DOM, leading to arbitrary code execution within the context of the victim's browser.

TL;DR

Trix versions prior to 2.1.17 are vulnerable to Stored XSS. A custom DOMPurify hook permits the data-trix-serialized-attributes attribute to bypass sanitization. Trix later parses this attribute and applies its contents to the DOM, allowing attackers to inject malicious event handlers.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • CWE ID: CWE-79
  • Attack Vector: Network / Web Input
  • Authentication Required: None (Context Dependent)
  • CVSS Severity: Moderate
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • action_text-trix (RubyGems)
  • trix (npm)
  • action_text-trix: < 2.1.17 (Fixed in: 2.1.17)
  • trix: < 2.1.17 (Fixed in: 2.1.17)

Code Analysis

Commit: 53197ab

Explicitly blacklist data-trix-serialized-attributes in DOMPurify configuration to prevent sanitization bypass.

Mitigation Strategies

  • Upgrade the trix and action_text-trix packages to version 2.1.17 or later.
  • Implement server-side sanitization to strip the data-trix-serialized-attributes attribute from incoming rich text data.
  • Deploy a strict Content Security Policy (CSP) omitting 'unsafe-inline' to neutralize inline event handler execution.

Remediation Steps:

  1. Identify all projects utilizing the Trix rich text editor via npm or RubyGems.
  2. Update the package.json file to require "trix": "^2.1.17".
  3. Run npm install or yarn install to update the JavaScript package.
  4. Update the Gemfile to require gem 'action_text-trix', '>= 2.1.17'.
  5. Run bundle update action_text-trix to update the Ruby dependency.
  6. Clear any server-side or CDN caches to ensure the updated JavaScript assets are served to clients.

References

Read the full report for GHSA-QMPG-8XG6-PH5Q on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)