Impact
A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.
Patches
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.
Workarounds
To work around this vulnerability, either:
- Upgrade to TinyMCE 5.6.0 or higher
- Disable the
codesample plugin
- Disable ruby code samples using the codesample_languages setting
- Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting
Acknowledgements
Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
For more information
If you have any questions or comments about this advisory:
Impact
A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the
codesampleplugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of thecodesampleplugin using TinyMCE 5.5.1 or lower.Patches
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.
Workarounds
To work around this vulnerability, either:
codesamplepluginAcknowledgements
Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
For more information
If you have any questions or comments about this advisory: