CVE-2024-43368

Trix Editor XSS: The 'Trust Me, I'm Not HTML' Bypass

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·4 min read·4 visits

Executive Summary (TL;DR)

Developers patched an XSS vulnerability by sanitizing content labeled as 'text/html'. Attackers bypassed this by labeling their malicious HTML as literally anything else (e.g., 'text/anything'). The renderer, ignoring the label, executed the code via innerHTML anyway. Fixed in version 2.1.4.

A logic flaw in Trix Editor's attachment handling allowed attackers to bypass XSS protections by simply mislabeling the content type of malicious payloads.

Official Patches

BasecampPull Request #1156 implementing the fix

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Probability
0.10%
Top 100% most exploited

Affected Systems

Basecamp Trix EditorRuby on Rails applications using the actiontext gem (older versions)Any web application embedding Trix < 2.1.4

Affected Versions Detail

Product
Affected Versions
Fixed Version
Trix
Basecamp
< 2.1.42.1.4
AttributeDetail
CWE IDCWE-79 (Cross-site Scripting)
CVSS v3.16.5 (Medium)
Attack VectorNetwork (User Interaction Required)
ImpactConfidentiality & Integrity (High)
Exploit StatusPoC Available
Patch StatusFixed in v2.1.4

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Cross-site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

GitHub Security AdvisoryAdvisory and PoC for Bypass of CVE-2024-43368

Vulnerability Timeline

Vulnerability Disclosed
2024-08-16
Patch Merged (v2.1.4)
2024-08-20