CVE-2021-26272

Vulnerability

CVE-2021-26272 is a Regular Expression Denial of Service (ReDoS) vulnerability in CKEditor 4 versions before 4.16. The flaw resides in the Autolink plugin, which automatically converts pasted URLs into clickable links. The vulnerable regular expression becomes catastrophically slow when processing a crafted input, leading to excessive CPU consumption. [1][2]

Exploitation

An attacker can trigger the ReDoS condition by persuading a victim to paste a specially crafted, URL-like string into the CKEditor 4 editor instance and then press the Enter or Space key. This action causes the Autolink plugin to process the input through the vulnerable regex, resulting in a denial of service. No authentication is required beyond the victim's interaction with the editor. [2]

Impact and

Mitigation

Successful exploitation causes the editor to become unresponsive, potentially freezing the entire browser tab or application. The vulnerability was addressed in CKEditor 4.16, released alongside other security fixes. Users running vulnerable versions should upgrade to 4.16 or later. Note that CKEditor 4 reached its End of Life on June 30, 2023, and the open-source version no longer receives security updates; users requiring continued support must migrate to the commercial CKEditor 4 LTS or upgrade to CKEditor 5. [1][3]