highlight.js@8.9.1 vulnerabilities
Syntax highlighting with language autodetection.
-
latest version
11.9.0
-
latest non vulnerable version
-
first published
13 years ago
-
latest version published
6 months ago
-
licenses detected
- >=8.6.0
Direct Vulnerabilities
Known vulnerabilities in the highlight.js package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.| Vulnerability | Vulnerable Version |
|---|---|
highlight.js is a syntax highlighter written in JavaScript. It works in the browser as well as on the server. It works with pretty much any markup, doesn’t depend on any framework, and has automatic language detection. Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. How to fix Prototype Pollution? Upgrade |
>=7.2.0 <9.18.2
>=10.0.0 <10.1.2
|