CVE-2025-57665

Description

Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs. As of version 2.11.0, Element Plus have clearly documented the risks inherent with the component.

How to fix CVE-2025-57665

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2025-57665 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 2.11.0

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-57665
• PATCHgithub.com/element-plus/element-plus
• WEBelement-plus.org/en-US/component/link.html
• WEBgithub.com/element-plus/element-plus/blob/dev/packages/components/link/src/link.vue