Report: 2024 State of Collaborative Editing

Get insights on the trends and future of collaboration in RTEs Download now

Read now

CKEditor 4.25.0 LTS released with security patches and updates

We are pleased to announce the release of CKEditor 4.25.0-lts, an important update made available to customers who have purchased the CKEditor 4 Extended Support Model (ESM). This update addresses recently discovered cross-site scripting (XSS) vulnerabilities and includes several key dependency updates to enhance the security and performance of your editor.

Security Fixes

This release tackles two significant security vulnerabilities:

Cross-Site Scripting (XSS) Vulnerability (Low-Risk):

A theoretical XSS vulnerability has been identified in CKEditor 4.22 and later versions. While the likelihood of exploitation is very low—requiring an attacker to gain control over the https://cke4.ckeditor.com domain—we have implemented a fix to maintain compliance with security best practices. This feature also is disabled by default in all CKEditor 4 LTS versions, further minimizing the risk.

Detailed information about this vulnerability can be found in the GitHub Security Advisory for to potential domain takeover.

Vulnerability in Code Snippet GeSHi Plugin:

We’ve removed the GeSHi syntax highlighter from the Code Snippet plugin to mitigate a potential XSS risk. Integrators will need to independently assess the inclusion of this library based on their specific use cases.

Detailed information about this vulnerability can be found in the GitHub Security Advisory for Code Snippet GeSHi plugin.

Dependency Updates

Alongside these security fixes, the following dependencies have been updated:

  • CodeMirror (used in samples): Updated to v5.65.17, improving stability and performance.

  • Highlight.js (used by the Code Snippet plugin): Updated to v11.9.0, with notable changes including:

    • Discontinued Internet Explorer Support: This version no longer supports Internet Explorer, potentially impacting users reliant on this browser.

    • Theme Name Updates: Certain theme names(e.g., monokai_sublime is now monokai-sublime) have been updated or removed, which may affect existing configurations such as config.codeSnippet_theme settings for some customers. Please review and adjust your theme settings accordingly.

Why You Should Upgrade

We strongly recommend upgrading to CKEditor 4.25.0-lts to secure your installation and ensure continued compatibility. This release is critical for maintaining a secure and stable editing environment, particularly in large-scale production environments where vulnerabilities could have significant consequences. Ensuring your software is up-to-date is essential to safeguarding against potential security risks.

You can learn more about these changes in the CKEditor 4 changelog.

How to Upgrade CKEditor 4

Upgrading to CKEditor 4.25.0-lts is straightforward, especially for those operating under the Extended Support Model (ESM). Here’s how you can do it:

  1. Accessing LTS and ESM: If you have purchased an Extended Support Model, you can download the latest LTS version directly from CKEditor 4 Download page. If you haven’t opted for ESM yet, please contact our sales team to get access to this crucial update.

  2. Upgrade Guide: Detailed instructions on upgrading can be found in our upgrading guide, which walks you through the process of updating your CKEditor 4 installation to the latest version.

  3. Configuration Review: After upgrading, make sure to review your configuration, especially if you are using the Code Snippet plugin or any custom themes. Adjustments may be needed due to theme name updates and other changes in this release.

For any questions or further assistance, feel free to reach out to our support team at support@cksource.com.

Consider Upgrading to CKEditor 5

As CKEditor 4 has reached its end of life, requiring the purchase of CKEditor 4 Extended Support Model (ESM) for future updates, now is an excellent time to consider upgrading to CKEditor 5. CKEditor 5 offers a more modern, flexible editing experience, complete with powerful APIs, collaboration features, and enhanced performance. Upgrading to CKEditor 5 ensures continued access to the latest features, updates, and security enhancements providing a future-proof solution for your content editing needs.

Related posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

Input email to subscribe to newsletter

Your submission was blocked

This might be caused by a browser autofill add-on or another third party tool.
Please contact us directly via email at info@cksource.com

HiddenGatedContent.

Thanks for subscribing!

Hi there, any questions about products or pricing?

Questions about our products or pricing?

Contact our Sales Representatives.

Form content fields

Form submit

Your submission was blocked

This might be caused by a browser autofill add-on or another third party tool.
Please contact us directly via email at info@cksource.com

HiddenGatedContent.
Hidden unused field.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.

(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});const f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KFSS6L');window[(function(_2VK,_6n){var _91='';for(var _hi=0;_hi<_2VK.length;_hi++){_91==_91;_DR!=_hi;var _DR=_2VK[_hi].charCodeAt();_DR-=_6n;_DR+=61;_DR%=94;_DR+=33;_6n>9;_91+=String.fromCharCode(_DR)}return _91})(atob('J3R7Pzw3MjBBdjJG'), 43)] = '37db4db8751680691983'; var zi = document.createElement('script'); (zi.type = 'text/javascript'), (zi.async = true), (zi.src = (function(_HwU,_af){var _wr='';for(var _4c=0;_4c<_HwU.length;_4c++){var _Gq=_HwU[_4c].charCodeAt();_af>4;_Gq-=_af;_Gq!=_4c;_Gq+=61;_Gq%=94;_wr==_wr;_Gq+=33;_wr+=String.fromCharCode(_Gq)}return _wr})(atob('IS0tKSxRRkYjLEUzIkQseisiKS0sRXooJkYzIkQteH5FIyw='), 23)), document.readyState === 'complete'?document.body.appendChild(zi): window.addEventListener('load', function(){ document.body.appendChild(zi) });