Name of the Vulnerable Software and Affected Versions Highlight.js versions prior to 10.4.1 Highlight.js version 9.18.5

Description The issue concerns potential ReDOS vulnerabilities due to exponential and polynomial RegEx backtracking in certain grammars shipped with the Highlight.js parser. This can lead to Denial of Service attacks, causing lengthy freezes or crashes on the client-side and infinite freezes on the server-side. The vulnerability affects users who use Highlight.js to highlight user-provided data, particularly with certain grammars.

Recommendations For Highlight.js versions prior to 10.4.1, upgrade to version 10.4.1 to resolve the vulnerabilities. For version 9.18.5, discontinue the use of affected grammars or attempt to cherry-pick grammar fixes into the older version. As a temporary workaround, consider discontinuing the use of affected grammars or using only those with polynomial issues instead of exponential ones.