Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNyaDMtd2ZyNC03Nm1q
Regular expression Denial of Service in multiple packages
Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 27.0.0.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.
Permalink: https://github.com/advisories/GHSA-3rh3-wfr4-76mjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNyaDMtd2ZyNC03Nm1q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-3rh3-wfr4-76mj, CVE-2021-21391
References:
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj
- https://github.com/ckeditor/ckeditor5/releases/tag/v27.0.0
- https://www.npmjs.com/package/@ckeditor/ckeditor5-engine
- https://www.npmjs.com/package/@ckeditor/ckeditor5-font
- https://www.npmjs.com/package/@ckeditor/ckeditor5-image
- https://www.npmjs.com/package/@ckeditor/ckeditor5-list
- https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm
- https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed
- https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office
- https://www.npmjs.com/package/@ckeditor/ckeditor5-widget
- https://nvd.nist.gov/vuln/detail/CVE-2021-21391
- https://github.com/advisories/GHSA-3rh3-wfr4-76mj
Blast Radius: 23.7
Affected Packages
npm:@ckeditor/ckeditor5-widget
Dependent packages: 234Dependent repositories: 3,762
Downloads: 1,675,327 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.1.0, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-paste-from-office
Dependent packages: 2,427Dependent repositories: 3,597
Downloads: 1,020,631 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.0.1, 10.0.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 19.0.2, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-media-embed
Dependent packages: 2,416Dependent repositories: 3,440
Downloads: 945,691 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.0.1, 10.0.0, 10.1.0, 11.0.0, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.1.0, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-markdown-gfm
Dependent packages: 434Dependent repositories: 258
Downloads: 86,663 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-list
Dependent packages: 2,841Dependent repositories: 3,925
Downloads: 1,129,358 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 10.0.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.0.1, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-image
Dependent packages: 2,716Dependent repositories: 4,054
Downloads: 1,079,882 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.1.2, 14.0.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-font
Dependent packages: 1,778Dependent repositories: 1,207
Downloads: 436,197 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.0.1, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 11.0.0, 11.1.0, 11.1.1, 11.2.0, 11.2.1, 11.2.2, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1
npm:@ckeditor/ckeditor5-engine
Dependent packages: 341Dependent repositories: 4,485
Downloads: 2,144,098 last month
Affected Version Ranges: <= 26.0.0
Fixed in: 27.0.0
All affected versions: 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, 13.0.0, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 14.0.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1