CVE-2021-32723 – CVE-2021-32723 is a Regular Expression Denial o... (How to Fix)

Q: What is the severity of CVE-2021-32723?

CVE-2021-32723 has a CVSS score of 7.4 (HIGH). CVE-2021-32723 is a Regular Expression Denial of Service (ReDoS) vulnerability in Prism syntax highlighting library versions before 1.24.0. Attackers can craft malicious strings that cause excessive processing time when highlighting untrusted text in ASCIIDoc or ERB languages. This affects any application using vulnerable Prism versions to highlight user-provided content.

📋 TL;DR

CVE-2021-32723 is a Regular Expression Denial of Service (ReDoS) vulnerability in Prism syntax highlighting library versions before 1.24.0. Attackers can craft malicious strings that cause excessive processing time when highlighting untrusted text in ASCIIDoc or ERB languages. This affects any application using vulnerable Prism versions to highlight user-provided content.

💻 Affected Systems

Products:

PrismJS
Any application using Prism syntax highlighting library

Versions: All versions before 1.24.0

Operating Systems: All operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ASCIIDoc and ERB language definitions; other Prism languages are not vulnerable.

📦 What is this software?

Application Express by Oracle

View all CVEs affecting Application Express →

Prism by Prismjs

View all CVEs affecting Prism →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where the application becomes unresponsive due to CPU exhaustion from processing malicious regex patterns, potentially affecting all users.

🟠

Likely Case

Degraded performance or temporary unavailability of specific features that highlight user content using affected languages.

🟢

If Mitigated

Minimal impact if patched or workarounds implemented; normal operations continue with unaffected languages.

🌐 Internet-Facing: HIGH - Any web application using vulnerable Prism versions to highlight user-generated content is exposed to DoS attacks.

🏢 Internal Only: MEDIUM - Internal applications could still be affected but attack surface is smaller than internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only crafting malicious strings; no authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Prism v1.24.0 and later

Vendor Advisory: https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg

Restart Required: No

Instructions:

1. Update Prism to version 1.24.0 or later. 2. For npm: 'npm update prismjs'. 3. For direct download: replace prism.js/prism.min.js with patched version. 4. Verify update by checking version in file or package.json.

🔧 Temporary Workarounds

Disable vulnerable languages

all

Remove or disable ASCIIDoc and ERB language definitions from Prism configuration

Remove 'asciidoc' and 'erb' from Prism language loading configuration

Input validation

all

Implement length limits and regex pattern validation for user input before highlighting

🧯 If You Can't Patch

Implement strict input validation and length limits for user content
Use alternative syntax highlighting libraries for ASCIIDoc and ERB content

🔍 How to Verify

Check if Vulnerable:

Check Prism version in package.json or prism.js file header; versions <1.24.0 are vulnerable

Check Version:

npm list prismjs (for npm) or grep -i 'version' prism.js

Verify Fix Applied:

Confirm Prism version is 1.24.0 or higher and test highlighting with sample ASCIIDoc/ERB content

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for content highlighting
High CPU usage spikes when processing user content

Network Indicators:

Increased response times for pages with syntax highlighting
Timeout errors on content processing endpoints

SIEM Query:

search for 'prism' AND (cpu_usage > 90% OR response_time > 10s) AND process_name contains 'node' OR 'web'

📊 Metadata

CVE ID: CVE-2021-32723

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE: CWE-400

Published: June 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/PrismJS/prism/pull/2688 Patch,Third Party Advisory
https://github.com/PrismJS/prism/pull/2774 Patch,Third Party Advisory
https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://github.com/PrismJS/prism/pull/2688 Patch,Third Party Advisory
https://github.com/PrismJS/prism/pull/2774 Patch,Third Party Advisory
https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32723, you might also want to check these: