CVE-2021-32723
Regular Expression Denial of Service (ReDoS) vulnerability in prismjs
What is CVE-2021-32723 About?
This vulnerability in Prism.js allows for a Regular Expression Denial of Service (ReDoS) when certain languages are used to highlight untrusted text. Attackers can craft strings that lead to extremely long processing times, causing a denial of service. The ease of exploitation is moderate, requiring specific language use and malicious input.
Affected Software
Technical Details
The vulnerability, classified as Regular Expression Denial of Service (ReDoS), exists in Prism.js in versions prior to 1.24.0. Specifically, certain regular expressions used for highlighting syntax in languages like ASCIIDoc and ERB are prone to exponential backtracking when processing specially crafted input strings. An attacker can submit an untrusted text containing patterns that, when matched against these vulnerable regular expressions, cause the regex engine to backtrack excessively. This leads to a significant increase in processing time and CPU consumption, effectively causing the application performing the highlighting to become unresponsive or slow, resulting in a denial of service.
What is the Impact of CVE-2021-32723?
Successful exploitation may allow attackers to cause applications or services using the vulnerable Prism.js library to become unresponsive, leading to denial of service, degraded user experience, and resource exhaustion.
What is the Exploitability of CVE-2021-32723?
Exploitation requires an attacker to be able to provide untrusted text input to an application that uses Prism.js for syntax highlighting, specifically with the vulnerable ASCIIDoc or ERB languages enabled. The complexity is moderate, as crafting a string that triggers exponential backtracking requires some understanding of regular expression vulnerabilities. There are no explicit authentication or privilege requirements; any user who can submit text for highlighting could potentially exploit this. The attack can be remote if the application accepts user-generated content from the web. The prerequisite is that the application must be configured to highlight untrusted input using the affected languages. The risk is increased in scenarios where user-supplied content is directly highlighted without sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32723?
Available Upgrade Options
- prismjs
- <1.24.0 → Upgrade to 1.24.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg
- https://osv.dev/vulnerability/GHSA-gj77-59wh-66hg
- https://github.com/PrismJS/prism
- https://github.com/PrismJS/prism/pull/2688
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/PrismJS/prism/pull/2774
- https://github.com/PrismJS/prism/pull/2688
- https://github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/PrismJS/prism/pull/2774
What are Similar Vulnerabilities to CVE-2021-32723?
Similar Vulnerabilities: CVE-2021-29469 , CVE-2021-32640 , CVE-2021-29482 , CVE-2021-32014 , CVE-2021-32012
