6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21254

GHSA ID

GHSA-hgmg-hhc8-g5wr

EPSS Score

0.58024%

CWE

CWE-400

Published

1/29/2021

Updated

1/30/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21254

CVE-2021-21254: CKEditor 5 Markdown plugin Regular expression Denial of Service

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 25.0.0.

Workarounds

The user can work around the issue by:

Upgrading CKEditor 5 to version 25.0.0.
Disabling the Markdown plugin.

More information

If you have any questions or comments about this advisory:

Email us at security@cksource.com

Acknowledgements

The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub for reporting it.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21254

GHSA ID

GHSA-hgmg-hhc8-g5wr

EPSS Score

0.58024%

CWE

CWE-400

Published

1/29/2021

Updated

1/30/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@ckeditor/ckeditor5-markdown-gfm	npm	<= 24.0.0	25.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly relates to a ReDoS in link recognition regex in the Markdown plugin. While exact function names aren't provided in the advisory, CKEditor's architecture uses GFMDataProcessor for Markdown conversion. The _htmlToMarkdown method (or similar link handling logic) would contain the vulnerable regex pattern matching links. The high confidence comes from: 1) The advisory specifically mentions 'link recognition regular expression' 2) The patched version 25.0.0 would logically modify this processing logic 3) ReDoS vulnerabilities in Markdown processors are typically found in the regex patterns used for link/URL detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r**ul*r *xpr*ssion **ni*l o* s*rvi** (R**oS) vuln*r**ility **s ***n *is*ov*r** in t** *K**itor * M*rk*own plu*in *o**. T** vuln*r**ility *llow** to **us* * link r**o*nition r**ul*r *xpr*ssion, w*i** *oul* **us* * si*ni*i**nt p*r*orm*n**

Reasoning

T** vuln*r**ility *xpli*itly r*l*t*s to * R**oS in link r**o*nition r***x in t** M*rk*own plu*in. W*il* *x**t *un*tion n*m*s *r*n't provi*** in t** **visory, `*K**itor`'s *r**it**tur* us*s `**M**t*Pro**ssor` *or M*rk*own *onv*rsion. T** `_*tmlToM*rk*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-21254: CKEditor 5 Markdown plugin Regular expression Denial of Service

Impact

Patches

Workarounds

More information

Acknowledgements

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI