Fluid Attacks Database

Description

Regex denial of service vulnerability in codesample plugin

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

Upgrade to TinyMCE 5.6.0 or higher

Disable the codesample plugin

Disable ruby code samples using the codesample_languages setting

Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

If you have any questions or comments about this advisory:

Open an issue in the TinyMCE repo

Email us at [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	tinymce	>=0 <5.6.0	5.6.0

Aliases

1. GHSA-h96f-fc7c-9r552. GCVE-GHSA-h96f-fc7c-9r55

References

1. https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r552. https://www.npmjs.com/package/tinymce3. https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.