CVE-2025-45525: Withdrawn Advisory: microlight.js has a null pointer dereference vulnerability
(updated )
Withdrawn Advisory
This advisory has been withdrawn because a website owner has to set CSS color values. The proof of concept doesn’t demonstrate how a malicious user who is not the website owner can cause an application crash. This link has been maintained to preserve external references.
Original Description
A null pointer dereference vulnerability was discovered in microlight.js (version 0.0.7), a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-45525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →