Skip to content

Regular Expression Denial of Service (ReDoS) in Prism

High
RunDevelopment published GHSA-93gc-7v2v-7v7m May 2, 2021

Package

npm prismjs (npm)

Affected versions

<1.23

Patched versions

1.23

Description

Some languages before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

  • ASCIIDoc
  • Bash
  • Batch
  • C#
  • Eiffel
  • Elm
  • Fortran
  • FTL
  • Gherkin
  • HAML
  • HCL
  • Lisp
  • Lua
  • Neon
  • Nix
  • PHP
  • Pug
  • Puppet
  • Q
  • Rest
  • Ruby
  • SASS
  • SCSS
  • Shell sessions
  • Stylus
  • Swift
  • TAP
  • Textile
  • Xeora

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.23.

References

Severity

High

CVE ID

CVE-2021-23341

Weaknesses