Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm💎 RubyGems

GHSA-qjqp-xr96-cj99

MEDIUM

Trix Editor Arbitrary Code Execution Vulnerability

Also known asCVE-2024-34341
Published
May 7, 2024
Updated
Feb 4, 2026
Affected
4 pkgs
Patched
4 / 4
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.8%probability of exploitation in next 30 days
Lower Risk51th percentile+0.23%
0.00%0.43%0.86%1.28%0.2%0.8%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

4 pkgs affected
📦trix📦trix💎actiontext💎actiontext

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm, RubyGems packages — download data is not available via public APIs for these ecosystems.

Description

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions:

  • 1.x series up to and including 1.3.1
  • 2.x series up to and including 2.1.0

Fixed Versions:

  • v1.3.2
  • v2.1.1

Vector:

  • Bug 1: When copying content manipulated by a script, such as:
document.addEventListener('copy', function(e){
  e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
  e.preventDefault();
});

and pasting into the Trix editor, the script within the content is executed.

  • Bug 2: Similar execution occurs with content structured as:
document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

Credit: These issues were reported by security researchers loknop and pinpie.

Affected Packages

4 total 4 fixed
EcosystemPackageVulnerable rangeFix
📦npmtrix2.0.0&&< 2.1.12.1.1
📦npmtrix0.9.0&&< 1.3.21.3.2
💎RubyGemsactiontext7.0.0.alpha1&&< 7.0.8.37.0.8.3
💎RubyGemsactiontext7.1.0.beta1&&< 7.1.3.37.1.3.3

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for trix. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update trix to 2.1.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-qjqp-xr96-cj99 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-qjqp-xr96-cj99 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-qjqp-xr96-cj99. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. **Vulnerable Versions**: - 1.x series up to and including 1.3.1 - 2.x series up to and including 2.1.0 **Fixed Versions**: - v1.3.2 - v2.1.1 **Vector**: - **Bug 1**: When copying content manipulated by a script, such as: ```js document.a
O3 Security · Impact-Aware SCA

Is GHSA-qjqp-xr96-cj99 in your dependencies?

O3 detects GHSA-qjqp-xr96-cj99 across npm, RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works