Low severity2.9GHSA Advisory· Published Jun 17, 2025· Updated Apr 15, 2026

CVE-2025-45525

Description

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
microlightnpm	<= 0.0.7	—

Affected products

Asvd/MicrolightGHSA
Range: <= 0.0.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-64x7-m7rh-9m83ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-45525ghsaADVISORY
gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424nvdWEB
github.com/github/advisory-database/pull/5730nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.189
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000