GHSA-hgmg-hhc8-g5wr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hgmg-hhc8-g5wr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-hgmg-hhc8-g5wr/GHSA-hgmg-hhc8-g5wr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hgmg-hhc8-g5wr
- Aliases
- Related
- Published
- 2021-01-29T21:51:22Z
- Modified
- 2023-11-01T04:54:09.743986Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- CKEditor 5 Markdown plugin Regular expression Denial of Service
- Details
-
Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
Workarounds
The user can work around the issue by: - Upgrading CKEditor 5 to version 25.0.0. - Disabling the Markdown plugin.
More information
If you have any questions or comments about this advisory: * Email us at security@cksource.com
Acknowledgements
The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub for reporting it.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-01-29T21:50:43Z", "nvd_published_at": "2021-01-29T22:15:00Z", "cwe_ids": [ "CWE-400" ] }- References
Affected packages
npm / @ckeditor/ckeditor5-markdown-gfm
Package
- Name
- @ckeditor/ckeditor5-markdown-gfm
- View open source insights on deps.dev
- Purl
- pkg:npm/%40ckeditor/ckeditor5-markdown-gfm