CVE-2021-21391

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21391
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21391.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21391
Aliases
Related
Published
2021-04-29T01:15:07Z
Modified
2025-01-14T08:43:28.344822Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

References

Affected packages

Git / github.com/ckeditor/ckeditor5

Affected ranges

Type
GIT
Repo
https://github.com/ckeditor/ckeditor5
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bf30aaa96be9b35cd6dca8563a7304fcd5092f63

Affected versions

10.*

10.1.0

v0.*

v0.1.0
v0.10.0
v0.11.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.9.0

v1.*

v1.0.0-alpha.1
v1.0.0-alpha.2
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.4

v10.*

v10.0.0
v10.0.1
v10.1.0

v11.*

v11.0.0
v11.0.1
v11.1.0
v11.1.1
v11.2.0

v12.*

v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.3.1
v12.4.0

v15.*

v15.0.0

v16.*

v16.0.0

v17.*

v17.0.0

v18.*

v18.0.0

v19.*

v19.0.0
v19.1.0
v19.1.1

v20.*

v20.0.0

v21.*

v21.0.0

v22.*

v22.0.0

v23.*

v23.0.0
v23.1.0

v24.*

v24.0.0

v25.*

v25.0.0

v26.*

v26.0.0