CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

Project:

CKEditor5 Youtube

Date:

2025-June-25

Security risk:

Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross-site Scripting

Affected versions:

<1.0.4

CVE IDs:

CVE-2025-6674

Description:

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.

The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity.
This vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.

Solution:

Install the latest version:

If you are using the CKEditor5 YouTube module on Drupal 9.x or higher, you should upgrade to: CKEditor5 Youtube 1.0.4

Reported By:

nico.b

Fixed By:

Brahim Khouy (b.khouy)
Abderrahim GHAZALI 🤘 (g.abderrahim)
nico.b

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Contribution record

CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

Contact and more information

News items

Our community

Documentation

Drupal code base

Governance of community