Regular expression Denial of Service in multiple packages

Description

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Not specified
Published (advisory)
2021-04-06 17:28:41 UTC
Updated
2023-02-01 05:05:16 UTC
GitHub reviewed
2021-03-31 18:37:46 UTC
NVD published
2021-04-28

EPSS Score

Score Percentile
8.30% 92.10%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-400 Uncontrolled Resource Consumption

Affected packages (8)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @ckeditor/ckeditor5-engine <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-font <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-image <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-list <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-markdown-gfm <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-media-embed <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-paste-from-office <= 26.0.0 27.0.0
npm @ckeditor/ckeditor5-widget <= 26.0.0 27.0.0

References

cvelogic Threat Intelligence