CVE-2021-21254

Description

### Impact A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0. ### Patches The problem has been recognized and patched. The fix will be available in version 25.0.0. ### Workarounds The user can work around the issue by: - Upgrading CKEditor 5 to version 25.0.0. - Disabling the Markdown plugin. ### More information If you have any questions or comments about this advisory: * Email us at [security@cksource.com](mailto:security@cksource.com) ### Acknowledgements The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub for reporting it.

How to fix CVE-2021-21254

To remediate CVE-2021-21254, upgrade the affected package to a fixed version below.

• —upgrade to 25.0.0 or later

Is CVE-2021-21254 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 25.0.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21254
• PATCHgithub.com/ckeditor/ckeditor5
• WEBgithub.com/ckeditor/ckeditor5/releases/tag/v25.0.0
• WEBgithub.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr