CVE-2021-32723
HIGH7.4EPSS 0.37%Regular Expression Denial of Service (ReDoS) in Prism
Published: 6/28/2021Modified: 3/13/2026
Description
Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). ### Impact When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text. - ASCIIDoc - ERB Other languages are __not__ affected and can be used to highlight untrusted text. ### Patches This problem has been fixed in Prism v1.24. ### References - PrismJS/prism#2774 - PrismJS/prism#2688
Affected packages (1)
- npm/prismjsfrom 0, < 1.24.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32723
- PATCHhttps://github.com/PrismJS/prism
- WEBhttps://github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018
- WEBhttps://github.com/PrismJS/prism/pull/2688
- WEBhttps://github.com/PrismJS/prism/pull/2774
- WEBhttps://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg
- WEBhttps://www.oracle.com/security-alerts/cpujan2022.html