Skip to content

Regular Expression Denial of Service (ReDoS) in Prism

high severity Published Jun 28, 2021 in PrismJS/prism • Updated Jun 30, 2021

Package

npm prismjs (npm)

Affected versions

< 1.24.0

Patched versions

1.24.0

Description

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

  • ASCIIDoc
  • ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

References

@RunDevelopment RunDevelopment published the maintainer security advisory Jun 28, 2021

CVE ID

CVE-2021-32723

CVSS Score

7.4 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H