Vulnerability Details CVE-2021-21391
CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 79.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-font
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-image
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-list
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-font
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-image
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-list
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget
Products affected by CVE-2021-21391
-
cpe:2.3:a:ckeditor:ckeditor5-engine:-
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.10.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.11.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.6.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.7.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.8.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:0.9.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:10.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:10.2.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:12.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:13.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:13.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:13.1.1
-
cpe:2.3:a:ckeditor:ckeditor5-engine:13.2.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:13.2.1
-
cpe:2.3:a:ckeditor:ckeditor5-engine:14.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-engine:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-engine:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:-
-
cpe:2.3:a:ckeditor:ckeditor5-font:0.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-font:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:10.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-font:10.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-font:10.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-font:10.0.4
-
cpe:2.3:a:ckeditor:ckeditor5-font:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:11.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:11.2.1
-
cpe:2.3:a:ckeditor:ckeditor5-font:11.2.2
-
cpe:2.3:a:ckeditor:ckeditor5-font:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-font:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:22.0.0.
-
cpe:2.3:a:ckeditor:ckeditor5-font:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-font:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:-
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.2.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.3.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.4.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.5.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.6.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:0.7.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:10.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:10.2.1
-
cpe:2.3:a:ckeditor:ckeditor5-image:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:12.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:13.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:13.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:13.1.1
-
cpe:2.3:a:ckeditor:ckeditor5-image:13.1.2
-
cpe:2.3:a:ckeditor:ckeditor5-image:14.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-image:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-image:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:-
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.4.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.5.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.5.1
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.6.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.6.1
-
cpe:2.3:a:ckeditor:ckeditor5-list:0.7.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:11.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-list:11.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-list:11.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.0.4
-
cpe:2.3:a:ckeditor:ckeditor5-list:12.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-list:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-list:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:-
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.3.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.4.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.4.1
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.4.2
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.4.3
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:0.4.4
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:10.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:10.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:10.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:10.0.4
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.4
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:11.0.5
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:-
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:0.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:10.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.1.1
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.1.2
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.1.3
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:11.1.4
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:19.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-media-embed:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:-
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:0.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:11.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:19.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:19.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:20.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:26.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:-
-
cpe:2.3:a:ckeditor:ckeditor5-widget:0.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-widget:0.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:0.1.1
-
cpe:2.3:a:ckeditor:ckeditor5-widget:0.2.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:1.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:10.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:10.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:10.2.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:10.3.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:10.3.1
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.0.1
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.0.2
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.0.3
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.0.4
-
cpe:2.3:a:ckeditor:ckeditor5-widget:11.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:15.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:16.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:17.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:18.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:19.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:19.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:21.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:22.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:23.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:23.1.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:24.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:25.0.0
-
cpe:2.3:a:ckeditor:ckeditor5-widget:26.0.0