Login Sign Up

CVE-2020-27511

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2020-27511 is a Regular Expression Denial of Service (ReDoS) vulnerability in Prototype.js library versions 1.7.3 and earlier. Attackers can craft malicious HTML tags that cause excessive CPU consumption when processed by stripTags or unescapeHTML functions, potentially making applications unresponsive. This affects any web application using vulnerable versions of the Prototype.js library.

💻 Affected Systems

Products:
  • Prototype JavaScript Framework
Versions: 1.7.3 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using Prototype.js stripTags or unescapeHTML functions with user-controlled input is vulnerable.

📦 What is this software?

Prototype by Prototypejs

View all CVEs affecting Prototype →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application denial of service, making affected web services unavailable to legitimate users due to CPU exhaustion.

🟠

Likely Case

Degraded application performance and intermittent service disruptions when attackers submit crafted payloads.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated library versions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available on GitHub demonstrates ReDoS with crafted HTML tags.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.4 or later

Vendor Advisory: https://github.com/prototypejs/prototype

Restart Required: No

Instructions:

1. Update Prototype.js to version 1.7.4 or later. 2. Replace prototype.js file in your application. 3. Test application functionality.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject or sanitize HTML tags before processing.

Rate Limiting

all

Implement rate limiting on endpoints that process HTML input to prevent DoS attacks.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block malicious HTML patterns
  • Disable or replace stripTags and unescapeHTML functions with safer alternatives

🔍 How to Verify

Check if Vulnerable:

Check if prototype.js version is 1.7.3 or earlier in your application's source code or dependencies.

Check Version:

grep -r 'Prototype' package.json || find . -name '*.js' -exec grep -l 'prototype' {} \; | xargs grep -l 'version'

Verify Fix Applied:

Verify prototype.js version is 1.7.4 or later and test stripTags/unescapeHTML functions with sample inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage on web servers
  • Increased request processing times for HTML input endpoints

Network Indicators:

  • Multiple requests containing complex HTML patterns to vulnerable endpoints

SIEM Query:

source="web_server" AND (cpu_usage>90% OR response_time>5000ms) AND uri="*stripTags*" OR uri="*unescapeHTML*"

📊 Metadata

CVE ID: CVE-2020-27511
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: June 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON