Login Sign Up

CVE-2021-23341

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability affects PrismJS syntax highlighting library versions before 1.23.0, allowing attackers to cause denial of service through specially crafted input in prism-asciidoc, prism-rest, prism-tap, and prism-eiffel components. The regular expression patterns in these components can be exploited to cause excessive CPU consumption, potentially crashing the application. Any application using vulnerable PrismJS versions for syntax highlighting is affected.

💻 Affected Systems

Products:
  • PrismJS
  • Applications using PrismJS for syntax highlighting
Versions: All versions before 1.23.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the vulnerable components: prism-asciidoc, prism-rest, prism-tap, prism-eiffel

📦 What is this software?

Prism by Prismjs

View all CVEs affecting Prism →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all users of the service.

🟠

Likely Case

Degraded performance or temporary service disruption for users accessing pages with maliciously crafted content.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to submit content that gets processed by vulnerable PrismJS components

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.23.0 and later

Vendor Advisory: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cmcc

Restart Required: No

Instructions:

1. Update PrismJS to version 1.23.0 or later using package manager (npm update prismjs) 2. Verify no vulnerable dependencies remain 3. Test syntax highlighting functionality

🔧 Temporary Workarounds

Disable vulnerable components

all

Remove or disable prism-asciidoc, prism-rest, prism-tap, and prism-eiffel components if not needed

Remove component imports from your application

Input validation

all

Implement strict input validation and length limits for content processed by PrismJS

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious patterns in user input
  • Deploy rate limiting to prevent repeated exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for prismjs version <1.23.0

Check Version:

npm list prismjs

Verify Fix Applied:

Verify prismjs version is 1.23.0 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Application crashes or timeouts during content processing

Network Indicators:

  • Unusually large payloads to content submission endpoints

SIEM Query:

source="application_logs" AND ("CPU spike" OR "timeout" OR "prism")

📊 Metadata

CVE ID: CVE-2021-23341
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: February 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON