CVE-2021-32723 — Regular Expression Denial of Service (ReDoS) in Prism

Description

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). ### Impact When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text. - ASCIIDoc - ERB Other languages are __not__ affected and can be used to highlight untrusted text. ### Patches This problem has been fixed in Prism v1.24. ### References - PrismJS/prism#2774 - PrismJS/prism#2688

How to fix CVE-2021-32723

To remediate CVE-2021-32723, upgrade the affected package to a fixed version below.

—upgrade to 1.24.0 or later

Is CVE-2021-32723 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.24.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32723
PATCHgithub.com/PrismJS/prism
WEBgithub.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018
WEBgithub.com/PrismJS/prism/pull/2688
WEB