Lucene search

GoogleOSV:GHSA-GJ77-59WH-66HG

HistoryJun 28, 2021 - 6:33 p.m.

Regular Expression Denial of Service (ReDoS) in Prism

2021-06-2818:33:18

Google

osv.dev

0.001 Low

EPSS

Percentile

46.4%

JSON

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

ASCIIDoc
ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

PrismJS/prism#2774
PrismJS/prism#2688

CPENameOperatorVersion
prismjslt1.24.0

CPE	Name	Operator	Version
	prismjs	lt	1.24.0

References

github.com/PrismJS/prism

github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018

github.com/PrismJS/prism/pull/2688

github.com/PrismJS/prism/pull/2774

github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg

nvd.nist.gov/vuln/detail/CVE-2021-32723

www.oracle.com/security-alerts/cpujan2022.html

0.001 Low

EPSS

Percentile

46.4%

JSON

Related for OSV:GHSA-GJ77-59WH-66HG