Regex denial of service vulnerability in codesample plugin

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

Upgrade to TinyMCE 5.6.0 or higher
Disable the codesample plugin
Disable ruby code samples using the codesample_languages setting
Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

If you have any questions or comments about this advisory:

Open an issue in the TinyMCE repo
Email us at [email protected]

Published: Jan 6, 2021
Updated: Apr 14, 2023
GHSA: GHSA-h96f-fc7c-9r55
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
tinymce	-	5.6.0

Vulnerability Database