A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.
The problem has been recognized and patched. The fix will be available in version 27.0.0.
Email us at [email protected] if you have any questions or comments about this advisory.
The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.
| Score | Percentile |
|---|---|
| 8.30% | 92.10% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-3rh3-wfr4-76mj ↗ |
| CVE | CVE-2021-21391 ↗ |
| CWE id | Name |
|---|---|
| CWE-400 | Uncontrolled Resource Consumption |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @ckeditor/ckeditor5-engine | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-font | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-image | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-list | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-markdown-gfm | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-media-embed | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-paste-from-office | <= 26.0.0 | 27.0.0 | — |
| npm | @ckeditor/ckeditor5-widget | <= 26.0.0 | 27.0.0 | — |