1980286 – (CVE-2021-32723) CVE-2021-32723 npm-prismjs: a malicious (long) string will take a long time to highlight may result in ReDoS

Bug 1980286 (CVE-2021-32723) - CVE-2021-32723 npm-prismjs: a malicious (long) string will take a long time to highlight may result in ReDoS

Summary: CVE-2021-32723 npm-prismjs: a malicious (long) string will take a long time t...

Keywords:
Status:	NEW
Alias:	CVE-2021-32723
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1981616 1981864
Blocks:	1980287
TreeView+	depends on / blocked

Reported:	2021-07-08 09:16 UTC by Marian Rehak
Modified:	2023-09-01 00:37 UTC (History)
CC List:	20 users (show)
Fixed In Version:	npm-prismjs 1.24.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in npm-prismjs. An attacker can craft a string that will take a very long time to highlight when used to work with un-trusted text resulting in ReDoS. This can affect the system availability. There is no known risk of privilege escalation on data compromise.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-07-08 09:16:47 UTC

An attacker can craft a string that will take a very very long time to highlight and result in ReDoS.  As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text.

Upstream Reference:

https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg

Comment 3 subhro 2021-07-13 01:45:18 UTC

Upstream fix: https://github.com/PrismJS/prism/pull/2774/files

Note You need to log in before you can comment on or make changes to this bug.

anharris
anpicker
bmontgom
bniver
eparis
fjansen
flucifre
gmeno
hvyas
jburrell
jwendell
mbenjamin
mhackett
nstielau
rcernich
sostapov
spasquie
sponnaga
twalsh
vereddy