CVE-2021-21391

Name of the Vulnerable Software and Affected Versions CKEditor 5 versions <= 26.0.0

Description A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages, including ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. This issue allows the abuse of particular regular expressions, causing a significant performance drop and potentially resulting in a browser tab freeze.

Recommendations For versions <= 26.0.0, update to version 27.0.0 to resolve the issue. As a temporary workaround, consider restricting the use of the affected CKEditor 5 packages until the patch is applied.