CVE-2020-26237
Prototype Pollution vulnerability in highlight.js (npm)

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2020-26237 About?

This vulnerability is a Prototype Pollution affecting the 'highlight.js' package when processing malicious HTML code blocks. Attackers can inject arbitrary properties into JavaScript's object prototype, potentially causing application crashes or unexpected behavior, leading to a Denial of Service. Exploitation occurs if a user can insert custom HTML code blocks that the application then attempts to highlight.

Affected Software

  • highlight.js
    • >10.0.0, <10.1.2
    • <9.18.2

Technical Details

Affected versions of the highlight.js package (prior to 9.18.2 and 10.1.2) are vulnerable to Prototype Pollution. When the library highlights a specially crafted HTML code block, a malicious string can manipulate the __proto__ property of the base object's prototype. Specifically, if a user can provide custom language names or structures in their HTML code blocks (e.g., via Markdown parsing), this input is not properly sanitized. During the highlighting process, the vulnerable code inadvertently allows arbitrary properties to be injected into Object.prototype, affecting all objects in the JavaScript runtime. This can lead to unexpected program behavior, type confusion errors, or application crashes, essentially functioning as a Denial of Service vector.

What is the Impact of CVE-2020-26237?

Successful exploitation may allow attackers to inject arbitrary properties into global JavaScript object prototypes, leading to application crashes, unexpected behavior, and a potential denial of service.

What is the Exploitability of CVE-2020-26237?

Exploitation of this Prototype Pollution vulnerability requires moderate complexity. An attacker needs the ability to insert custom HTML code blocks into a page or application that uses highlight.js for syntax highlighting. This could be via a Markdown editor, a rich text editor, or any content submission form that allows code blocks. Prerequisites include the application not filtering or sanitizing user-provided language names. Authentication requirements depend on whether the content submission mechanism is accessible to unauthenticated users. Privilege requirements are low, as the attack targets the client-side JavaScript environment or server-side rendering logic. This is generally a remote exploitation scenario. The risk is heightened in applications that allow untrusted users to submit code snippets or rich text content which includes code highlighting features.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-26237?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch changes the languages and aliases objects to be created with Object.create(null) instead of as plain objects, preventing prototype pollution attacks by eliminating the default Object prototype chain. This fixes CVE-2020-26237 because attackers can no longer use crafted input keys like proto or constructor to access or overwrite properties on Object.prototype, closing an avenue for malicious code execution or unexpected behavior.

Available Upgrade Options

  • highlight.js
    • <9.18.2 → Upgrade to 9.18.2
  • highlight.js
    • >10.0.0, <10.1.2 → Upgrade to 10.1.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-26237?

Similar Vulnerabilities: CVE-2020-7729 , CVE-2021-23369 , CVE-2021-3782 , CVE-2021-3807 , CVE-2022-21696

All Rights reserved 2025
Privacy Policy