Tiptap for PHP versions before 2.1.1 contain an input validation flaw that allows an authenticated user to submit Tiptap JSON with the attrs.href field set to an array instead of a string. When the library attempts to validate the href by calling Link::isAllowedUri() and passing the improperly typed value to preg_match(), an unhandled TypeError occurs, causing the server‑side HTML rendering pipeline to crash. The malicious record remains in the database and permanently disrupts all subsequent viewings of that record until the entry is manually repaired, creating a widespread denial of service for users of the affected application.

The affected product is the Tiptap for PHP library distributed by ueberdosis. All releases prior to v2.1.1 are vulnerable. The library is used in server‑side PHP applications that transform Tiptap JSON documents into HTML, so any deployment that incorporates a compromised version is at risk.

The CVSS score of 7.1 indicates a high severity vulnerability. Exploitation requires authenticated access to inject the malformed JSON, but once the payload is stored it leads to a server crash that cannot be recovered until manual cleanup. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation; however, the combination of high impact and the low complexity of crafting the malformed payload makes it a significant risk to any system that relies on a pre‑2.1.1 Tiptap PHP installation.