Severity: high

    Regular Expression Denial of Service

    prismjs

    Overview

    In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service (ReDoS).

    Impact

    When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

    • ASCIIDoc
    • ERB

    Other languages are not affected and can be used to highlight untrusted text.

    Patches

    This problem has been fixed in Prism v1.24.

    References

    • PrismJS/prism#2774
    • PrismJS/prism#2688

    Remediation

    Upgrade to version 1.24.0 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jun 28th, 2021
    2. reported

      Reported by Anonymous
      Jun 28th, 2021