CVE-2025-54384

Impact

The helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector.

Patches

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-54384
GHSA: GHSA-2r4h-8jxv-w2j8
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ckan	2.11.0	2.11.4
ckan	-	2.10.9

https://github.com/ckan/ckan/commit/112affffa74b14fc97c54abcf18315df97114917
https://github.com/ckan/ckan/commit/6d0065f2fc7e2682196d125275af34b93e9e554e
https://github.com/ckan/ckan/releases/tag/ckan-2.10.9
https://github.com/ckan/ckan/releases/tag/ckan-2.11.4
https://github.com/ckan/ckan/security/advisories/GHSA-2r4h-8jxv-w2j8

Vulnerability Database

CVE-2025-54384

Impact

Patches

Deep Security Visibility Without the Complexity