All the vulnerabilities related to the version 2.0.4 of the package
Cross-Site Scripting in Prism
The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.
This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).
This problem is patched in v1.21.0.
To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).
If you have any questions or comments about this advisory, please open an issue.
Denial of service in prismjs
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
Regular Expression Denial of Service (ReDoS) in Prism
Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).
When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.
Other languages are not affected and can be used to highlight untrusted text.
This problem has been fixed in Prism v1.24.
prismjs Regular Expression Denial of Service vulnerability
Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.
Cross-site Scripting in Prism
Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.
Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.
This bug has been fixed in v1.27.0.
Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.
PrismJS DOM Clobbering vulnerability
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
