Advisories for Npm/@Ckeditor/Ckeditor5-Markdown-Gfm package

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are @ckeditor/ckeditor5-markdown-gfm, @ckeditor/ckeditor5-html-support, and @ckeditor/ckeditor5-html-embed. The specific conditions are 1) Using one of the affected packages. In case of ckeditor5-html-support and ckeditor5-html-embed, additionally, it was required to use a …

2021

Uncontrolled Resource Consumption

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Uncontrolled Resource Consumption

CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized …