VulnerableCode Package Details - pkg:npm/element-plus@2.2.25

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/element-plus@2.2.25

Essentials
History (1)

purl	pkg:npm/element-plus@2.2.25

Next non-vulnerable version	2.11.1
Latest non-vulnerable version	2.11.1
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-a4v5-uv7b-gfhc Aliases: CVE-2025-57665 GHSA-5m5x-9j46-h678	Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.	2.11.1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:16:07.122771+00:00	GitLab Importer	Affected by	VCID-a4v5-uv7b-gfhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/element-plus/CVE-2025-57665.yml	38.6.0