VulnerableCode Package Details - pkg:npm/prismjs@1.25.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-7hga-phsb-1kep Aliases: CVE-2022-23647 GHSA-3949-f494-cm99	Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.	1.27.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qve7-xnn5-g7as Aliases: CVE-2024-53382 GHSA-x7hr-w5r2-h6wg	Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.	1.30.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7hga-phsb-1kep
Aliases:
CVE-2022-23647
GHSA-3949-f494-cm99

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

1.27.0
Affected by 1 other vulnerability.

VCID-qve7-xnn5-g7as
Aliases:
CVE-2024-53382
GHSA-x7hr-w5r2-h6wg

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

1.30.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cvqb-p5f4-7fax	prism is vulnerable to Inefficient Regular Expression Complexity	CVE-2021-3801 GHSA-hqhp-5p83-hx96

Vulnerability

Summary

Aliases

VCID-cvqb-p5f4-7fax

prism is vulnerable to Inefficient Regular Expression Complexity

CVE-2021-3801
GHSA-hqhp-5p83-hx96

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:24:32.886990+00:00	GHSA Importer	Fixing	VCID-cvqb-p5f4-7fax	https://github.com/advisories/GHSA-hqhp-5p83-hx96	38.6.0
2026-06-12T19:53:55.179227+00:00	GitLab Importer	Affected by	VCID-qve7-xnn5-g7as	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/prismjs/CVE-2024-53382.yml	38.6.0
2026-06-12T18:00:13.493776+00:00	GitLab Importer	Affected by	VCID-7hga-phsb-1kep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/prismjs/CVE-2022-23647.yml	38.6.0
2026-06-12T15:42:24.311620+00:00	GitLab Importer	Fixing	VCID-cvqb-p5f4-7fax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/prismjs/CVE-2021-3801.yml	38.6.0
2026-06-12T08:03:34.709187+00:00	GithubOSV Importer	Fixing	VCID-cvqb-p5f4-7fax	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-hqhp-5p83-hx96/GHSA-hqhp-5p83-hx96.json	38.6.0