Skip to content

Regular Expression Denial of Service in prismjs

moderate severity Published Sep 20, 2021 • Updated Sep 29, 2021

Package

npm prismjs (npm)

Affected versions

< 1.25.0

Patched versions

1.25.0

Description

The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

References

CVE ID

CVE-2021-3801

CVSS Score

6.5 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H