CVE-2021-21391
CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
EPSS 1.35% · 80.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | ckeditor3 | 0, 3.6.6.1+dfsg-7 |
| Ubuntu:22.04:LTS | ckeditor3 | *, 0 |
| Ubuntu:18.04:LTS | ckeditor3 | 3.6.6.1+dfsg-1, 0 |
| Ubuntu:20.04:LTS | ckeditor3 | 0, *, 3.6.6.1+dfsg-4 |
Exploit Intelligence
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm (circl)
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-font (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-image (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-list (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office (circl)
- https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget (circl)
Timeline
- Apr 6, 2021 CVE Published
- Apr 29, 2021 EPSS Score
- Sep 2, 2021 EPSS Score
- Nov 4, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Mar 8, 2022 EPSS Score
- May 9, 2022 EPSS Score
- Sep 12, 2022 EPSS Score
- Nov 13, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- May 18, 2023 EPSS Score
- Jul 20, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21391 third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-engine third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-image third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed third-party-advisory
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-list third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-font third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office third-party-advisory
- https://www.npmjs.com/package/@ckeditor/ckeditor5-widget third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21391 third-party-advisory