CVE-2021-21254

29.01.2021, 22:15

CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Vendor	Product	Version
ckeditor	ckeditor5	𝑥 < 25.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0

https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr

https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm

https://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0

https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr

https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm