swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard
verified publisher icon swagger-api

Security: prismjs is vulnerable to CVE-2024-53382

Open marvingreeven opened this issue 10 months ago • 5 comments

Q&A (please complete the following information)

  • Swagger-UI version: 5.20.1

Content & configuration

npm audit --omit=dev --json --registry=https://registry.npmjs.org

Describe the bug you're encountering

swagger-ui refers to "react-syntax-highlighter" : "^15.6.1" which refers to "refractor": "^3.6.0" which refers to "prismjs": "~1.27.0".

It seems like the project react-syntax-highlighter is not maintained that well.

Additional context or thoughts

"auditReportVersion": 2,
  "vulnerabilities": {
    "prismjs": {
      "name": "prismjs",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102459,
          "name": "prismjs",
          "dependency": "prismjs",
          "title": "PrismJS DOM Clobbering vulnerability",
          "url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
          "severity": "moderate",
          "cwe": [
            "CWE-94"
          ],
          "cvss": {
            "score": 4.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
          },
        }
      ],
      "effects": [
        "refractor"
      ],
      "range": "<1.30.0",
      "nodes": [
        "node_modules/refractor/node_modules/prismjs"
      ],
      "fixAvailable": {
        "name": "swagger-ui",
        "version": "3.29.0",
        "isSemVerMajor": true
      }
    },
    "react-syntax-highlighter": {
      "name": "react-syntax-highlighter",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "refractor"
      ],
      "effects": [
        "swagger-ui"
      ],
      "range": ">=6.0.0",
      "nodes": [
        "node_modules/react-syntax-highlighter"
      ],
      "fixAvailable": {
        "name": "swagger-ui",
        "version": "3.29.0",
        "isSemVerMajor": true
      }
    },
    "refractor": {
      "name": "refractor",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "prismjs"
      ],
      "effects": [
        "react-syntax-highlighter"
      ],
      "range": "<=4.6.0",
      "nodes": [
        "node_modules/refractor"
      ],
      "fixAvailable": {
        "name": "swagger-ui",
        "version": "3.29.0",
        "isSemVerMajor": true
      }
    },
    "swagger-ui": {
      "name": "swagger-ui",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "react-syntax-highlighter"
      ],
      "effects": [],
      "range": ">=3.30.0",
      "nodes": [
        "node_modules/swagger-ui"
      ],
      "fixAvailable": {
        "name": "swagger-ui",
        "version": "3.29.0",
        "isSemVerMajor": true
      }
    }
  },

marvingreeven avatar Mar 24 '25 10:03 marvingreeven

Can we get a fix in please? Thanks!

ishworg avatar Mar 27 '25 06:03 ishworg

Still affecting v5.20.5

machma02 avatar Apr 04 '25 19:04 machma02

This is a downstream issue with react-syntax-highlighter@latest, which is using an outdated [email protected]

Adding this to package.json should work in the meantime...

"resolutions": {
  "prismjs": "1.30.0"
},

skubot avatar Apr 06 '25 08:04 skubot

It is still to see in v5.21.5

akbast avatar Apr 25 '25 09:04 akbast

There is a react-syntax-highligher version 16 now. This may be fixable now with an update?

kamulos avatar Oct 27 '25 10:10 kamulos