CKEditor 4.25.0 LTS released with security patches and updates
We are pleased to announce the release of CKEditor 4.25.0-lts, an important update made available to customers who have purchased the CKEditor 4 Extended Support Model (ESM). This update addresses recently discovered cross-site scripting (XSS) vulnerabilities and includes several key dependency updates to enhance the security and performance of your editor.
Security Fixes
This release tackles two significant security vulnerabilities:
Cross-Site Scripting (XSS) Vulnerability (Low-Risk):
A theoretical XSS vulnerability has been identified in CKEditor 4.22 and later versions. While the likelihood of exploitation is very low—requiring an attacker to gain control over the https://cke4.ckeditor.com domain—we have implemented a fix to maintain compliance with security best practices. This feature also is disabled by default in all CKEditor 4 LTS versions, further minimizing the risk.
Detailed information about this vulnerability can be found in the GitHub Security Advisory for to potential domain takeover.
Vulnerability in Code Snippet GeSHi Plugin:
We’ve removed the GeSHi syntax highlighter from the Code Snippet plugin to mitigate a potential XSS risk. Integrators will need to independently assess the inclusion of this library based on their specific use cases.
Detailed information about this vulnerability can be found in the GitHub Security Advisory for Code Snippet GeSHi plugin.
Dependency Updates
Alongside these security fixes, the following dependencies have been updated:
-
CodeMirror (used in samples): Updated to v5.65.17, improving stability and performance.
-
Highlight.js (used by the Code Snippet plugin): Updated to v11.9.0, with notable changes including:
-
Discontinued Internet Explorer Support: This version no longer supports Internet Explorer, potentially impacting users reliant on this browser.
-
Theme Name Updates: Certain theme names(e.g.,
monokai_sublime
is nowmonokai-sublime
) have been updated or removed, which may affect existing configurations such asconfig.codeSnippet_theme
settings for some customers. Please review and adjust your theme settings accordingly.
-
Why You Should Upgrade
We strongly recommend upgrading to CKEditor 4.25.0-lts to secure your installation and ensure continued compatibility. This release is critical for maintaining a secure and stable editing environment, particularly in large-scale production environments where vulnerabilities could have significant consequences. Ensuring your software is up-to-date is essential to safeguarding against potential security risks.
You can learn more about these changes in the CKEditor 4 changelog.
How to Upgrade CKEditor 4
Upgrading to CKEditor 4.25.0-lts is straightforward, especially for those operating under the Extended Support Model (ESM). Here’s how you can do it:
-
Accessing LTS and ESM: If you have purchased an Extended Support Model, you can download the latest LTS version directly from CKEditor 4 Download page. If you haven’t opted for ESM yet, please contact our sales team to get access to this crucial update.
-
Upgrade Guide: Detailed instructions on upgrading can be found in our upgrading guide, which walks you through the process of updating your CKEditor 4 installation to the latest version.
-
Configuration Review: After upgrading, make sure to review your configuration, especially if you are using the Code Snippet plugin or any custom themes. Adjustments may be needed due to theme name updates and other changes in this release.
For any questions or further assistance, feel free to reach out to our support team at support@cksource.com.
Consider Upgrading to CKEditor 5
As CKEditor 4 has reached its end of life, requiring the purchase of CKEditor 4 Extended Support Model (ESM) for future updates, now is an excellent time to consider upgrading to CKEditor 5. CKEditor 5 offers a more modern, flexible editing experience, complete with powerful APIs, collaboration features, and enhanced performance. Upgrading to CKEditor 5 ensures continued access to the latest features, updates, and security enhancements providing a future-proof solution for your content editing needs.