Your submission was sent successfully! Close

CVE-2021-21391

Published: 29 April 2021

CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

Notes

AuthorNote
litios
This only affects CKEditor 5 and all releases currently use
CKEditor 4 (2022-03-16)
Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
ckeditor
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
ckeditor3
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist