CVE-2021-21391

CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

References

Affected packages

Git / github.com/ckeditor/ckeditor5

Affected ranges

Type: GIT
Repo: https://github.com/ckeditor/ckeditor5
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bf30aaa96be9b35cd6dca8563a7304fcd5092f63

Affected versions

10.*

10.1.0

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.9.0

v1.*

v1.0.0-alpha.1

v1.0.0-alpha.2

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.4

v10.*

v10.0.0

v10.0.1

v10.1.0

v11.*

v11.0.0

v11.0.1

v11.1.0

v11.1.1

v11.2.0

v12.*

v12.0.0

v12.1.0

v12.2.0

v12.3.0

v12.3.1

v12.4.0

v15.*

v15.0.0

v16.*

v16.0.0

v17.*

v17.0.0

v18.*

v18.0.0

v19.*

v19.0.0

v19.1.0

v19.1.1

v20.*

v20.0.0

v21.*

v21.0.0

v22.*

v22.0.0

v23.*

v23.0.0

v23.1.0

v24.*

v24.0.0

v25.*

v25.0.0

v26.*

v26.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21391.json"