CVE-2020-26237
CVE-2020-26237 is a medium-severity vulnerability in Highlightjs Highlight.js with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-471.
Key facts
- Severity: Medium (CVSS 3.x base score 5.8)
- CVSS v2: 4.9
- EPSS exploit prediction: 1% (67th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-471
- Affected product: Highlightjs Highlight.js
- Published:
- Last modified:
Description
Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.
Frequently asked questions
- What is CVE-2020-26237?
- Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.
- How severe is CVE-2020-26237?
- CVE-2020-26237 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2020-26237 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (67th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-26237?
- CVE-2020-26237 primarily affects Highlightjs Highlight.js. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-26237?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-26237 published?
- CVE-2020-26237 was published on 2020-11-24 and last updated on 2026-06-17.
References
- https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0
- https://github.com/highlightjs/highlight.js/pull/2636
- https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
- https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html
- https://www.npmjs.com/package/highlight.js
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected products (3)
- cpe:2.3:a:highlightjs:highlight.js:*:*:*:*:*:node.js:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Other CWE-471 vulnerabilities
- CVE-2022-25893 — Critical (CVSS 9.8): The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the…
- CVE-2018-3722 — High (CVSS 8.8): merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which…
- CVE-2018-3720 — High (CVSS 8.8): assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which…
- CVE-2018-3728 — High (CVSS 8.8): hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID)…
- CVE-2024-55551 — High (CVSS 8.3): An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters…
- CVE-2024-9876 — High (CVSS 7.3): : Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects…