CVE-2021-32723

Regular Expression Denial of Service (ReDoS) in Prism

Description

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). ### Impact When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text. - ASCIIDoc - ERB Other languages are __not__ affected and can be used to highlight untrusted text. ### Patches This problem has been fixed in Prism v1.24. ### References - PrismJS/prism#2774 - PrismJS/prism#2688

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.4

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Affected Versions

prismjs < 1.24.0

Severity

High

Ecosystem

JavaScript

Publish Date

June 28, 2021

Modified Date

November 7, 2023