CVE-2025-45526
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-06-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Denial of Service (DoS) issue in the microlight JavaScript library version 0.0.7, which is used for syntax highlighting. The library does not limit the size of text it processes in HTML elements with the microlight class. When extremely large content (e.g., 100 million characters) is processed, the reset function consumes excessive CPU and memory by creating millions of DOM nodes and performing intensive tokenization per character. This causes the browser to crash or become unresponsive. An attacker can exploit this by tricking a user into visiting a malicious web page containing such large content in a microlight element, leading to resource exhaustion and denial of service. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can cause your browser to crash or become unresponsive due to excessive CPU and memory consumption. This results in a denial of service, preventing you from using the affected web page or potentially other browser functions until the browser is restarted. The attack requires you to visit a malicious web page containing very large content processed by microlight 0.0.7. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying the presence of microlight version 0.0.7 in your web applications or systems. Since the vulnerability involves processing very large textual content inside HTML elements with the microlight class, you can scan your web pages or scripts for the inclusion of microlight.js version 0.0.7 and check for unusually large content inside microlight elements. There are no specific commands provided to detect the vulnerability directly, but you can use web scanning tools or grep-like commands to find references to microlight.js 0.0.7 and inspect HTML content sizes. For example, you might use commands like `grep -r 'microlight.js' /path/to/webroot` to find usage, and then analyze the content size in those elements. Additionally, monitoring browser crashes or unresponsiveness when loading pages with microlight elements may indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of microlight version 0.0.7 with untrusted or user-supplied content. Apply server-side validation to limit the size of textual content processed by microlight elements, ensuring it does not exceed a safe threshold (e.g., 1,000,000 characters). Consider switching to alternative syntax highlighting libraries such as Prism.js or Highlight.js until a fixed version of microlight is released. Additionally, do not allow users to load or visit untrusted web pages that might contain maliciously large microlight elements to prevent denial of service. [1]