CVE-2021-3822

MEDIUM5.3EPSS 0.33%

Regular Expression Denial of Service in jsoneditor

Published: 9/29/2021Modified: 11/8/2023

Description

JSON Editor is a web-based tool to view, edit, format, and validate JSON. It has various modes such as a tree editor, a code editor, and a plain text editor. The jsoneditor package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted element as input to the getInnerText function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

Affected packages (1)

npm/jsoneditorfrom 0, < 9.5.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3822
PATCHhttps://github.com/josdejong/jsoneditor
WEBhttps://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e
WEBhttps://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73