Skip to content

Update dependency ckeditor5 to v45 [SECURITY] #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency ckeditor5 to v45 [SECURITY] #149

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 6, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
ckeditor5 (source) ^44.1.0 -> ^45.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58064

Impact

A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets one of the following criteria:

Patches

The problem has been recognized and patched. The fix will be available in version 46.0.3 (and above), and explicitly in version 45.2.2.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Release Notes

ckeditor/ckeditor5 (ckeditor5)

v45.2.2

Compare Source

A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package (CVE-2025-58064). This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets one of the following criteria:

You can read more details in the relevant security advisory and contact us if you have more questions.

Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

v45.2.1

Compare Source

We are happy to announce the release of CKEditor 5 v45.2.1.

Release highlights

This hotfix release brings fixes for certain regressions in the field of text selection (with balloon toolbars enabled), multi-level lists, and pagination.

Bug fixes
  • engine: Fixed editor crash that happened in a specific scenario, when editing heavily formatted text, text with multiple comments, or text with comments and formatting. Closes #​18727. (commit)
  • engine: Fixed incorrect cache invalidation in Mapper, which could lead to crashes when editing heavily formatted content or when using complex features like multi-level lists. Closes #​18678. (commit)
  • engine: Fixed editor crash that happened when typing over a table content with the balloon toolbar enabled. Closes #​18648. (commit)
  • list-multi-level: Fixed editor crash that happened when editing deeply nested multi-level lists. Closes #​18678. (commit)
  • table: Improved calculation of pagination page-breaks on documents with long tables. Closes #​18600. (commit)
  • typing: Typing over multiple selected blocks next to a code block or a block quote should not crash the editor. Closes #​18722. (commit)
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

v45.2.0

Compare Source

We are happy to announce the release of CKEditor 5 v45.2.0.

Release highlights

CKEditor 5 v45.2.0 offers the following improvements and bug fixes.

  • We fixed the copy-paste scenario in the read-only mode.
  • Tables pasted from Office, especially with borderless layouts, should preserve styling in the editor similar to the ones in the source file.
  • Improved the adoption of the fullscreen feature on smaller screens and includes subtle visual tweaks.
MINOR BREAKING CHANGES ℹ️
  • source-editing: The formatHtml() helper function is extracted to the @ckeditor/ckeditor5-utils package. See #​18480.
Features
  • fullscreen: Empty sidebars will no longer lock empty space around the editable in fullscreen mode. Closes #​18474. (commit)
Bug fixes
  • engine: The editor should not crash while using Mac text replacement in the Track changes mode. (commit)
  • engine: Copying content in read-only mode should use the current document selection. Closes #​18514. (commit)
  • engine: The editor should not crash after clearing content with a widget selected. Closes #​18123, #​18458. (commit)
  • pagination: Chrome no longer incorrectly pushes content to the next page when rendering documents consisting mainly of paragraphs with soft line breaks. Closes #​7316.
  • paste-from-office: Unset table borders no longer fall back to default table styles. Closes #​16931, #​10655, #​18540. (commit)
  • real-time-collaboration: Fixed a crash that occurred when a user selected table cells containing only non-textual elements, such as images.
  • revision-history: Fixed a crash in the revision history viewer that occurred when navigating revision changes, if the previewed revision was restored by one user but included suggestions originally made by other users.
  • source-editing: Single line pre-block should not cause loss of indentation on later lines in source mode. Closes #​18360. (commit)
  • source-editing: Empty lines in code blocks should not be removed in source editing mode. See #​18480. (commit)
  • source-editing-enhanced: Single line pre-block should not cause loss of indentation on later lines in source mode. Closes #​18360. (commit)
  • source-editing-enhanced: Empty lines in code blocks should not be removed in source editing mode. See #​18480. (commit)
  • table: Should apply the proper [width] attribute when it is used both on <table> and <figure> elements. Closes #​18469. (commit)
  • track-changes: Fixed crashes that could occur in real-time collaboration when a user splits suggestions rapidly in a short time frame.
Other changes
  • paste-from-office: Normalized pasted table length units (dimensions and border widths). (commit)
  • The development environment requires Node v22 due to migrating to the latest ESLint (v9) version. See #​18475. (commit)
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Minor releases (contain minor breaking changes):

Releases containing new features:

Other releases:

v45.1.0

Compare Source

We are happy to announce the release of CKEditor 5 v45.1.0.

Release highlights
Typing Improvements

The typing behavior has been improved for plain text typing. This adjustment allows the web browser to handle text insertion before the editor processes it, enhancing typing reliability across various scenarios, especially on Safari and iOS devices. Issues related to track changes, autocorrect, automatic text replacement, and other input methods have been addressed.

Track Changes Enhancements

A new method to start a "tracking session" has been introduced, preventing automatic merging of adjacent suggestions. This allows for more precise control over individual changes, catering to workflows that require selective acceptance of edits.

Miscellaneous improvements
  • Sticky toolbars and balloons are now better aligned with the visual viewport on iOS and Safari, ensuring correct positioning when zooming.
  • The fullscreen plugin has been improved to maintain scroll position when exiting fullscreen, avoiding unexpected jumps on smooth-scrolling pages. Layout consistency has been refined by adjusting margins and editable width. Errors related to the Content minimap plugin in fullscreen mode have also been resolved.
  • Introduced a fix which ensures that the data-author-id and data-suggestion attributes are preserved in non-block suggestions when retrieving data with showSuggestionHighlights: true.
  • We improved the algorithm for images detection in the Paste from Office feature, in scenarios of mixed local and online images from Microsoft Word. Paste no longer causes some images not to appear.
MINOR BREAKING CHANGES ℹ️
  • The default behavior of the beforeinput DOM events is no longer prevented in plain text typing scenarios. Now, the engine waits for DOM mutations and applies changes to the model afterward. This should not affect most integrations however, it may affect custom modifications to text insertion into the editor.
Features
Bug fixes

  • comments: Fixed a crash happening for some asynchronous collaboration integrations, when the TrackChangesData plugin was used while there was a resolved comment thread in the document's initial data.

  • email: Fixed incorrect documentation links in the email configuration helper.

  • fullscreen: Minor styling improvements. Closes #​18470. (commit)

  • fullscreen: Changed the method use to recognize the editor type in fullscreen. Closes #​18395. (commit)

  • fullscreen: Fixed restoring scroll position after leaving fullscreen mode for containers with scroll-behavior: smooth. Closes #​18378. (commit)

  • html-support: Removing formatting from empty HTML no longer crashes the editor. Closes #​18089. (commit)

  • html-support: Pasting an empty HTML element no longer crashes the editor. Closes #​18100. (commit)

  • image: Consume the .image_resize class and the [aspect-ratio] style during the upcast of the images. Closes #​18287. (commit)

  • link: Fixed a bug where the editor would crash or do nothing when pressing the enter key in newline-suppressed scenarios (such as limit elements). Closes #​15862. (commit)

    Thanks @​jonscheiding!

  • minimap: The plugin no longer throws errors when entering the fullscreen mode. Closes #​18472. (commit)

  • paste-from-office: Mixed local and online images from Microsoft Word paste no longer cause some images to disappear. Closes #​18180. (commit)

  • source-editing-enhanced: When the Enhanced Source Editi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-ckeditor5-vulnerability branch from fcaa91c to 41795c9 Compare September 25, 2025 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants