Lucene search
GoogleOSV:GHSA-HGMG-HHC8-G5WRHistoryJan 29, 2021 - 9:51 p.m.
CKEditor 5 Markdown plugin Regular expression Denial of Service
2021-01-2921:51:22
Google
osv.dev
7
0.001 Low
EPSS
Percentile
40.7%
Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
Workarounds
The user can work around the issue by:
- Upgrading CKEditor 5 to version 25.0.0.
- Disabling the Markdown plugin.
More information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Acknowledgements
The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and
Alvaro Muñoz from GitHub for reporting it.
| CPE | Name | Operator | Version |
|---|---|---|---|
| @ckeditor/ckeditor5-markdown-gfm | lt | 25.0.0 |
Related
prion
prion
Design/Logic Flaw
2021-01-29 22:15:00
osv
osv
CVE-2021-21254
2021-01-29 22:15:14
github
github
CKEditor 5 Markdown plugin Regular expression Denial of Service
2021-01-29 21:51:22
nvd
nvd
CVE-2021-21254
2021-01-29 22:15:14
cve
cve
CVE-2021-21254
2021-01-29 22:15:14
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-02-01 10:51:29
nodejs
nodejs
Regular Expression Denial of Service
2021-02-23 01:44:40
cvelist
cvelist
CVE-2021-21254 Regular expression Denial of Service in Markdown plugin
2021-01-29 21:55:14