Prism
CVE-2021-32723
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 12 npm packages depend on prismjs (12 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.24.0.
DescriptionNVD
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.
AnalysisAI
Prism is a syntax highlighting library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text. Affected products include: Prismjs Prism, Oracle Application Express. Version information: before 1.24.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc,
prism is vulnerable to Inefficient Regular Expression Complexity. Rated medium severity (CVSS 6.5), this vulnerability i
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but
Prism is a syntax highlighting library. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today