CVE-2021-23341
Regular Expression Denial of Service (ReDoS) vulnerability in prismjs
What is CVE-2021-23341 About?
This vulnerability affects PrismJS before version 1.23.0, allowing a Regular Expression Denial of Service (ReDoS) via specific components. Attackers can provide crafted input to cause the application to hang or crash due to excessive processing. Exploitation is typically easy, requiring simply submitting a malicious string.
Affected Software
Technical Details
The PrismJS package, specifically its 'prism-asciidoc', 'prism-rest', 'prism-tap', and 'prism-eiffel' components, contains regular expressions that are susceptible to catastrophic backtracking. When these components are used to process certain cunningly crafted input strings, the regex engine enters an exponential time complexity state. This leads to extremely long processing times or an application freeze, resulting in a denial of service condition.
What is the Impact of CVE-2021-23341?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unresponsive.
What is the Exploitability of CVE-2021-23341?
Exploiting this ReDoS vulnerability involves providing a malicious string to the vulnerable PrismJS components. The complexity is low, as it primarily requires feeding a crafted input. No special authentication or elevated privileges are typically needed if the application exposes an interface that processes user-controlled data via these PrismJS components. This is generally a remote vulnerability when the application is web-facing. The likelihood of exploitation increases if user-supplied content, such as code snippets or documentation, is parsed server-side or client-side using the affected PrismJS versions and components.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23341?
Available Upgrade Options
- prismjs
- <1.23.0 → Upgrade to 1.23.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/package/prismjs
- https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
- https://osv.dev/vulnerability/GHSA-h4hr-7fg3-h35w
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583
- https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581
- https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
- https://github.com/PrismJS/prism/issues/2583
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583
- https://github.com/PrismJS/prism/issues/2583
- https://github.com/PrismJS/prism/pull/2584
What are Similar Vulnerabilities to CVE-2021-23341?
Similar Vulnerabilities: CVE-2021-23425 , CVE-2021-23346 , CVE-2021-29060 , CVE-2020-8260 , CVE-2022-21665
