Uploaded image for project: 'JOC - JS7 Operations Center'
  1. JOC - JS7 Operations Center
  2. JOC-2128

Upgrade codemirror to 6.0.2 due to 3rd party vulnerability CVE-2025-6493

    XMLWordPrintable

Details

    • Fix
    • Status: Dismissed (View Workflow)
    • Minor
    • Resolution: Won't Fix
    • 2.5.11, 2.7.5, 2.8.0
    • 2.5.12, 2.7.6, 2.8.1
    • None
    • None
    • CVE-2025-6493

    Description

      Current Stuation

      Currently JS7 JOC-Cockpit ships with codemirror 5.65.18 which is affected by CVE-2025-6493.

      We rate the impact to our software asĀ low as whatever is typed inside the script editor is treated as plain text for editing and highlighting, not as executable HTML/JavaScript. Even if someone pastes malicious HTML/JS code, it will never be executed inside the browser.

      Desired Behavior

      JS7 should use codemirror version 6.0.2 which solves the issue.

      This issue is dismissed as it will take some more effort to dissolve the usage of codemirror. It will be resolved with releases 2.7.7 and 2.8.2.

      Attachments

        Issue Links

          will be updated by

          Fix - JOC-2124 Replace codemirror due to 3rd-party vulnerability CVE-2025-6493

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Approved

          Activity

            People

              ZtRahul193 Rahul Patidar
              sp Santiago Aucejo Petzoldt
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: