Skip to content

Regex denial of service vulnerability in codesample plugin

Low severity GitHub Reviewed Published Jan 6, 2021 in tinymce/tinymce • Updated Jan 9, 2023

Package

npm tinymce (npm)

Affected versions

< 5.6.0

Patched versions

5.6.0

Description

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

  • Upgrade to TinyMCE 5.6.0 or higher
  • Disable the codesample plugin
  • Disable ruby code samples using the codesample_languages setting
  • Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

If you have any questions or comments about this advisory:

References

@lnewson lnewson published to tinymce/tinymce Jan 6, 2021
Reviewed Jan 6, 2021
Published to the GitHub Advisory Database Jan 6, 2021
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-h96f-fc7c-9r55

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.