CVE-2021-21254: CKEditor 5 Markdown plugin Regular expression Denial of Service
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.58024%
CWE
Published
1/29/2021
Updated
1/30/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@ckeditor/ckeditor5-markdown-gfm | npm | <= 24.0.0 | 25.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly relates to a ReDoS in link recognition regex in the Markdown plugin. While exact function names aren't provided in the advisory, CKEditor
's architecture uses GFMDataProcessor
for Markdown conversion. The _htmlToMarkdown
method (or similar link handling logic) would contain the vulnerable regex pattern matching links. The high confidence comes from: 1) The advisory specifically mentions 'link recognition regular expression' 2) The patched version 25.0.0
would logically modify this processing logic 3) ReDoS vulnerabilities in Markdown processors are typically found in the regex patterns used for link/URL detection.