Prototype Pollution in highlight.js
Description
Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Highlight.js before 9.18.2 and 10.1.2 is vulnerable to Prototype Pollution via crafted language names in HTML code blocks, potentially leading to unexpected behavior or denial of service.
Vulnerability
Overview
Highlight.js is a JavaScript syntax highlighter used in browsers and on servers [1]. Versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution [2]. The root cause is that the internal languages and aliases objects were initialized as plain objects ({}), allowing attacker-controlled properties to pollute the base object's prototype [4].
Exploitation
A malicious HTML code block can be crafted with a crafted language name (e.g., __proto__ or constructor) that, when processed by Highlight.js, results in prototype pollution of the base object's prototype [3]. The attack vector requires the application to allow users to insert custom HTML code blocks, such as through Markdown parsing, without filtering the language names [2]. The attacker does not need authentication if the application renders user-provided content.
Impact
The pollution adds unexpected properties to all objects, which can cause strange behavior or application crashes, making it a potential Denial of Service (DOS) vector [2][3]. The impact is limited to applications that render user-supplied data; those that do not are unaffected.
Mitigation
Versions 9.18.2 and 10.1.2 include fixes that use Object.create(null) for the languages and aliases objects, preventing prototype pollution [4]. Users on versions 7 or 8 are encouraged to upgrade. A workaround is to manually patch the library or filter user-supplied language names [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
highlight.jsnpm | < 9.18.2 | 9.18.2 |
highlight.jsnpm | >= 10.0.0, < 10.1.2 | 10.1.2 |
Affected products
1- Range: < 9.18.2
Patches
17241013ae011(parser) use null prototype objects for languages/aliases (#2636)
3 files changed · +23 −2
CHANGES.md+9 −0 modified@@ -1,3 +1,12 @@ +## Version 10.1.2 + +Fixes: + +- fix(night) Prevent object prototype values from being returned by `getLanguage` (#2636) [night][] + +[night]: https://github.com/night + + ## Version 10.1.1 Fixes:
src/highlight.js+2 −2 modified@@ -29,9 +29,9 @@ const HLJS = function(hljs) { // Global internal variables used within the highlight.js library. /** @type {Record<string, Language>} */ - var languages = {}; + var languages = Object.create(null); /** @type {Record<string, string>} */ - var aliases = {}; + var aliases = Object.create(null); /** @type {HLJSPlugin[]} */ var plugins = [];
test/api/getLanguage.js+12 −0 modified@@ -41,4 +41,16 @@ describe('.getLanguage()', () => { result.should.have.property('aliases').with.containEql('cs'); should.strictEqual(result, hljs.getLanguage('csharp')) }); + + it('should not succeed for constructor', () => { + const result = hljs.getLanguage('constructor'); + + should.strictEqual(result, undefined); + }); + + it('should not succeed for __proto__', () => { + const result = hljs.getLanguage('__proto__'); + + should.strictEqual(result, undefined); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-vfrc-7r7c-w9mxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26237ghsaADVISORY
- github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0ghsax_refsource_MISCWEB
- github.com/highlightjs/highlight.js/pull/2636ghsax_refsource_MISCWEB
- github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mxghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00041.htmlghsamailing-listx_refsource_MLISTWEB
- www.npmjs.com/package/highlight.jsghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.