Severity: low

Regular Expression Denial of Service

@ckeditor/ckeditor5-markdown-gfm

Overview

In affected versions of @ckeditor/ckeditor5-markdown-gfm a regular expression denial of service (ReDoS) vulnerability has been discovered.

Impact

The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.

Workarounds

  • Disabling the Markdown plugin.

Remediation

Upgrade to version 25.0.0 or later

Resources

Have content suggestions? Visit npmjs.com/support.

Advisory timeline

  1. published

    Advisory Published
    Feb 23rd, 2021
  2. reported

    Reported by Anonymous
    Feb 23rd, 2021