// For flags

CVE-2021-21254

Regular expression Denial of Service in Markdown plugin

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.

CKEditor 5 es un framework de edición de texto enriquecido de código abierto con una arquitectura modular.&#xa0;El plugin CKEditor 5 Markdown (@ckeditor/ckeditor5-markdown-gfm) anterior a versión 25.0.0, presenta una vulnerabilidad de denegación de servicio de expresiones regulares (ReDoS).&#xa0;La vulnerabilidad permitió abusar de la expresión regular de reconocimiento de enlace, lo que podría causar una caída significativa en el rendimiento resultando en la congelación de la pestaña del navegador.&#xa0;Afecta a todos los usuarios que usan el plugin CKEditor 5 Markdown en la versión anterior a 24.0.0 e incluyéndola.&#xa0;El problema ha sido reconocido y parcheado.&#xa0;La corrección estará disponible en la versión 25.0.0

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-22 CVE Reserved
  • 2021-01-29 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ckeditor
Search vendor "Ckeditor"
Ckeditor5
Search vendor "Ckeditor" for product "Ckeditor5"
< 25.0.0
Search vendor "Ckeditor" for product "Ckeditor5" and version " < 25.0.0"
-
Affected