CVE-2021-3801
Denial of Service vulnerability in prismjs (npm)
What is CVE-2021-3801 About?
Prism, a syntax highlighting library, is vulnerable to a Regular Expression Denial of Service (ReDoS). An attacker can provide a specially crafted HTML comment as input, causing the application to consume excessive CPU resources. This can lead to a denial of service for any service using the vulnerable Prism library.
Affected Software
Technical Details
The ReDoS vulnerability in Prism's prismjs package is triggered when processing specifically crafted HTML comments during syntax highlighting. The underlying regular expressions used for parsing HTML comments or other language constructs within Prism contain patterns that are susceptible to catastrophic backtracking. When an attacker provides a malformed HTML comment that interacts poorly with these regexes, the regex engine explores an exponentially large number of possible matches. This leads to a significant and prolonged spike in CPU utilization, effectively stalling the process handling the input and causing a denial of service for the application or service incorporating Prism.
What is the Impact of CVE-2021-3801?
Successful exploitation may allow attackers to exhaust system resources, leading to a denial of service for the affected application or service.
What is the Exploitability of CVE-2021-3801?
Exploitation requires an attacker to provide a crafted HTML comment as input to where the Prism library processes it. The complexity of crafting the malicious input is moderate, requiring an understanding of regex and how it's used in Prism for HTML comments. Authentication might not be required if the input path is accessible to unauthenticated users, such as user-submitted content on a public website. Privilege requirements are typically low, as the attack targets the application's processing logic. This is primarily a remote vulnerability if the input is processed on a server or client-side application that renders untrusted content. Special conditions include the application using a vulnerable version of PrismJS and rendering untrusted input, such as user-generated content that can include HTML comments. Risk factors include websites or applications that allow arbitrary user input that is then highlighted by Prism.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3801?
About the Fix from Resolved Security
The patch updates the regular expression used to match HTML comments so that it no longer allows nested comments by ensuring that a comment open delimiter (“<!--”) inside a comment causes the match to stop. This prevents an attacker from crafting malicious input containing nested comments, which could previously bypass comment closure and lead to unescaped HTML being rendered or executed, fixing CVE-2021-3801.
Available Upgrade Options
- prismjs
- <1.25.0 → Upgrade to 1.25.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9
- https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a
- https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a
- https://nvd.nist.gov/vuln/detail/CVE-2021-3801
- https://osv.dev/vulnerability/GHSA-hqhp-5p83-hx96
- https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9
- https://github.com/prismjs/prism
What are Similar Vulnerabilities to CVE-2021-3801?
Similar Vulnerabilities: CVE-2022-24999 , CVE-2022-1929 , CVE-2020-28500 , CVE-2020-7661 , CVE-2020-7762
