CVE-2020-26237

Name of the Vulnerable Software and Affected Versions Highlight.js versions prior to 9.18.2 Highlight.js versions prior to 10.1.2

Description The issue is related to prototype pollution, which can occur when a malicious HTML code block is crafted, resulting in the pollution of the base object's prototype during highlighting. This can cause problems for applications not expecting these properties to exist, leading to strange behavior or application crashes, and potentially serving as a DOS vector. If a website or application does not render user-provided data, it should be unaffected.

Recommendations For versions prior to 9.18.2, upgrade to version 9.18.2 or newer. For versions prior to 10.1.2, upgrade to version 10.1.2 or newer. For versions 7 or 8, upgrade to a newer release. As a temporary workaround, consider manually patching the library to create null objects for both languages and aliases. Filter the language names that users are allowed to inject into HTML to guarantee they are valid.