VulWall Team March 31, 2026 5 min read

Syntax Highlighter Library Can Be Used to Freeze or Crash Your App

Your website uses an outdated version of a code-highlighting tool called Highlight.js (version 9.10.0). A known flaw in this version means that if your site lets users submit text that gets highlighted — like a code editor, comment box, or documentation tool — a malicious user could craft a special input that causes your server or browser to freeze up. This is only a concern if users can submit content that gets syntax-highlighted.

OWASP A06 Effort: trivial Exploitable
redos denial-of-service regex javascript library highlight.js GHSA-7wwv-vh3v-89cq

Business Impact And Actions

medium urgency

Business Impact

If your app highlights user-submitted code or text, an attacker could deliberately slow down or freeze that feature, making it unavailable to other users. This is a service availability issue — it won't expose customer data or allow account takeovers, but it could disrupt your product and frustrate legitimate users. If you only highlight your own static content (not user input), the practical risk is very low.

What To Do

  1. Ask your developer to upgrade the Highlight.js library to version 10.4.1 or later — this is a straightforward package update.
  2. If an immediate upgrade isn't possible, ask your developer to disable syntax highlighting for any user-submitted content as a temporary measure.
  3. Check whether your app actually lets users submit content that gets highlighted — if not, your real-world risk is minimal and you can schedule this fix at your next maintenance window.
  4. After the upgrade, ask your developer to confirm the new version is in place using the verification steps in the technical notes.

Highlight.js < 10.4.1 — ReDoS via Catastrophic Regex Backtracking in Language Grammars (GHSA-7wwv-vh3v-89cq)

medium severity CVSS 5.3-5.9

Vulnerability Explanation

Highlight.js versions prior to 10.4.1 contain regular expressions in multiple language grammar definitions that are susceptible to catastrophic backtracking. When the regex engine processes a specially crafted input string against these patterns, it can enter exponential or polynomial time complexity — causing the thread to hang indefinitely. Exponential backtracking grammars (C, C++, Perl, JavaScript, PowerShell, Handlebars, and others) are the most dangerous; polynomial grammars (Ruby, YAML, Kotlin, CoffeeScript, C#, Markdown, and many others) are less severe but still exploitable. The vulnerability is triggered at the grammar level, not in the core parser, meaning it affects any code path that invokes an affected grammar — including `highlightAuto()`, which auto-registers all common grammars.

Root Cause

The affected language grammar files use regular expression patterns with nested quantifiers or alternation structures that allow the regex engine to explore an exponentially growing number of possible match paths when given a non-matching or adversarial input. This is a classic 'catastrophic backtracking' pattern (e.g., `(A|B+)+`) that was not caught during grammar authoring. The fix in 10.4.1 tightens quantifiers to be non-greedy and adds match exclusions to eliminate ambiguous backtracking paths.

Technical Impact

An attacker who can submit input to any endpoint that passes user-provided text through Highlight.js can cause the highlighting function to consume 100% CPU and hang indefinitely. On the server side, this creates a Denial of Service condition — the Node.js event loop blocks, preventing all other requests from being served. On the client side (browser/Electron), it causes the UI thread to freeze or crash. No confidentiality or integrity impact; availability impact only.

Severity Justification

Availability-only impact (DoS), no authentication required if user input reaches the highlighter, but exploitation requires the application to pass user-controlled content to Highlight.js with an affected grammar enabled. GitHub's official advisory rates this as Moderate. No CVE has been assigned.

Affected Components

  • highlight.js >= 9.0.0, < 10.4.1
  • @highlightjs/cdn-assets < 10.4.1

Remediation Steps

  1. Upgrade highlight.js to version 10.4.1 or later: `npm install highlight.js@latest` or `yarn add highlight.js@latest`. This is the complete fix — no additional configuration is required.
  2. If you load Highlight.js from a CDN, update the CDN URL to reference version 10.4.1 or later (e.g., replace `highlight.js@9.x` with `highlight.js@11.x` in your script tag).
  3. If an immediate upgrade is blocked (e.g., by a major version API change from v9 to v10/v11), as an interim measure disable `highlightAuto()` and restrict grammar registration to only languages you control and that are not in the affected list. Do not pass user-provided content through affected grammars.
  4. After upgrading, audit your codebase for any calls to `highlightAuto()` or explicit use of affected grammars (c, cpp, perl, javascript, typescript, powershell, handlebars, ruby, yaml, kotlin, coffeescript, csharp, markdown) on user-supplied input, and confirm they now use the patched version.

Verification Steps

  1. Run `npm list highlight.js` (or `yarn list highlight.js`) and confirm the installed version is 10.4.1 or higher.
  2. In a browser console or Node.js REPL, run `hljs.versionString` (or `require('highlight.js').versionString`) and verify the output is >= 10.4.1.
  3. If loaded via CDN, inspect the network tab in browser DevTools and confirm the highlight.js script URL references version 10.4.1 or later.
  4. Optionally, test with a crafted adversarial input against a previously affected grammar (e.g., a deeply nested C-like string) and confirm the call returns promptly without hanging.

Code Examples (html)

Vulnerable
<!-- CDN: vulnerable version -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/highlight.min.js"></script>

// npm: vulnerable
// package.json: "highlight.js": "^9.10.0"
Fixed
<!-- CDN: fixed version -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/highlight.min.js"></script>

// npm: fixed
// Run: npm install highlight.js@latest
// package.json will update to: "highlight.js": "^11.x.x"

Best Practices

  • Never pass unsanitized user input directly to a syntax highlighting library without first validating or rate-limiting the request on the server side.
  • Pin or lock library versions in your package-lock.json or yarn.lock and use a dependency audit tool (e.g., `npm audit`, Snyk, or Dependabot) to receive alerts when new vulnerabilities are disclosed.
  • If using `highlightAuto()`, explicitly allowlist only the grammars your application actually needs rather than registering all common grammars — this reduces both attack surface and bundle size.
  • For server-side highlighting of user content, consider running the highlight operation in a worker thread with a timeout, so a hung regex cannot block the main event loop.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base