CVE-2021-21254
published 2021-01-29CVE-2021-21254: CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.79%
75.6th percentile
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ckeditor | ckeditor5 | < 25.0.0 | 25.0.0 |
| ckeditor | ckeditor5-markdown-gfm | >= 0 < 25.0.0 | 25.0.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CKEditor 5 Markdown plugin Regular expression Denial of Service
ghsa·2021-01-29
CVE-2021-21254 [MEDIUM] CWE-400 CKEditor 5 Markdown plugin Regular expression Denial of Service
CKEditor 5 Markdown plugin Regular expression Denial of Service
### Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
### Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
### Workarounds
The user can work around the issue by:
- Upgrading CKEditor 5 to version 25.0.0.
- Disabling the Markdown plugin.
### More information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:secur
OSV
CKEditor 5 Markdown plugin Regular expression Denial of Service
osv·2021-01-29
CVE-2021-21254 [MEDIUM] CKEditor 5 Markdown plugin Regular expression Denial of Service
CKEditor 5 Markdown plugin Regular expression Denial of Service
### Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
### Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
### Workarounds
The user can work around the issue by:
- Upgrading CKEditor 5 to version 25.0.0.
- Disabling the Markdown plugin.
### More information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:secur
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wrhttps://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfmhttps://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wrhttps://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm
2021-01-29
Published