As we approach the one-year anniversary of CKEditor 4 reaching its end of life, it's crucial to emphasize the importance of maintaining a secure software environment.

Starting July 1st, we'll activate security notifications for CKEditor 4. This change will impact the open-source version 4.22 and all earlier versions served via our CDN. These notifications will alert users and integrators to the presence of unsecured CKEditor 4 versions, which may be vulnerable to security threats. As of this writing, the latest secure version of CKEditor 4 is 4.24.0-lts. Applications using secure CKEditor 4 versions won’t be impacted by these notifications.

Our aim with this initiative is to raise awareness about the risks associated with using version 4.22 and below, which have known security vulnerabilities. We want to ensure all integrators are informed and able to make informed decisions about their next steps.

Options for Integrators

For integrators, we recognize that seeing these notifications may not always be ideal. Therefore, CKEditor 4 includes an option to disable these security notifications. However, while this may offer temporary relief, we strongly advise against continuing to use an unsecured version of CKEditor 4. Disabling notifications without addressing underlying security risks leaves your application exposed to potential threats.

For those interested in using the latest, secure version of CKEditor 4, reach out to us regarding obtaining a CKE 4 LTS license.

You may manually disable security notifications for the editor using the following configuration option: config.versionCheck

CKEDITOR.replace( 'editor', {
    // Disable security notifications.
    versionCheck: false
} );

We’ve prepared additional content to help you learn more about our Extended Support Model for CKEditor 4 and how we can help keep your application secure.

This change will impact the open-source version 4.22 and all earlier versions served via our CDN

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

I advise you to contact the CMS maintainer, we can't help much with the 3rd party software.

I have now installed the full version under Typesetter 5.2/jquery 2.24 : I get here the error

[CKEDITOR] Error code: editor-plugin-deprecated. Object { plugin: "flash" } plugin: "flash"
​
: Object { … }
jquery.js:918:171
[CKEDITOR]
For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#editor-plugin-deprecated jquery.js:918:266
[CKEDITOR]: The license key is missing or invalid.

If you suddenly started to see this message, this may mean you accidentally updated CKEditor 4 to the LTS version (4.23.0 and above). This version of the editor is under commercial terms and requires acquiring an "Extended Support Model" contract - https://ckeditor.com/ckeditor-4-support/

For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#invalid-lts-license-key

So i must register - thats all : Versions from a CDN will not run at Typesetter. I would prefer a popup 'Please enter Your registration-key'

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

This could just as easily have been a console.error() message, instead of displaying a MASSIVE RED BOX in front of every users' face, that they need to close in order to complete their flow.

Both the notification itself, and the announcement, have between them a total of THREE separate URLs encouraging developers into buying your product or face the consequences.

(The fact that this notification isn't appearing on version 4.23.0-LTS, which is also insecure, speaks rather loudly.) While security is important, pretending this change was made out of thoughtfulness and the goodness of your heart, instead of an attempt to squeeze money out of users who aren't paying for LTS, is frankly a little bit gross.

A dark pattern to force everybody to purchase the commercial version. We all know what you are doing. Disappointing.