Uploaded image for project: 'JOC - JS7 Operations Center'
  1. JOC - JS7 Operations Center
  2. JOC-2124

Replace codemirror due to 3rd-party vulnerability CVE-2025-6493

    XMLWordPrintable

Details

    • Fix
    • Status: Approved (View Workflow)
    • Minor
    • Resolution: Fixed
    • 2.5.11, 2.7.5, 2.8.0
    • 2.7.7, 2.8.2
    • None
    • None
    • CVE-2025-6493

    Description

      Current Stuation

      Currently JS7 JOC-Cockpit ships with codemirror 5.65.18 which is affected by CVE-2025-6493. The codemirror 3rd-party component is used for syntax highlighting in the Workflow Editor.

      We rate the impact to our software asĀ low as whatever is typed inside the script editor is treated as plain text for editing and highlighting, not as executable HTML/JavaScript. Even if someone pastes malicious HTML/JS code, it will never be executed inside the browser.

      Desired Behavior

      JS7 JOC Cockpit will replace codemirror by its own implementation. The usefulness of codemirror is is not in proportion to the attack surface offered considering the fact that updated versions of codemirror introduce additional 3rd-party libraries.

      Attachments

        Issue Links

          updates

          Fix - JOC-2128 Upgrade codemirror to 6.0.2 due to 3rd party vulnerability CVE-2025-6493

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Dismissed

          Activity

            People

              ZtRahul193 Rahul Patidar
              sp Santiago Aucejo Petzoldt
              Ajay Kumbhkar Ajay Kumbhkar
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: