Описание
CKEditor 5 Markdown plugin Regular expression Denial of Service
Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
Workarounds
The user can work around the issue by:
- Upgrading CKEditor 5 to version 25.0.0.
- Disabling the Markdown plugin.
More information
If you have any questions or comments about this advisory:
- Email us at security@cksource.com
Acknowledgements
The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub for reporting it.
Пакеты
@ckeditor/ckeditor5-markdown-gfm
<= 24.0.0
25.0.0
Связанные уязвимости
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.