Description
Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object’s prototype during highlighting.
Recommendation
Update the highlight.js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.2 < 9.18.2** Patched version(s): **10.1.2 9.18.2**
References
- GHSA-vfrc-7r7c-w9mx
- www.npmjs.com
- lists.debian.org
- www.oracle.com
- CVE-2020-26237
- CWE-471
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- tRPC 11 WebSocket DoS Vulnerability - CVE-2025-43855
- DocsGPT Allows Remote Code Execution - CVE-2025-0868
- Signature Malleabillity in elliptic - CVE-2020-13822
- Joplin Vulnerable to Code Injection - CVE-2022-23340
- Tags:
- npm
- highlight.js
Anything's wrong? Let us know Last updated on February 01, 2023