Microlight JavaScript Library Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Microlight JavaScript library, specifically in version 0.0.7. This library is used for syntax highlighting but lacks a mechanism to limit the size of text it processes in HTML elements with the microlight class. When extremely large content, such as 100 million characters, is handled, the reset function in microlight.js consumes excessive memory and CPU resources, leading to browser crashes or unresponsiveness. An attacker can exploit this vulnerability by convincing a user to visit a malicious webpage containing a microlight element filled with large content, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the browser to crash or become unresponsive, with some versions of Chrome displaying a memory error.

Reproduction

To reproduce this vulnerability, download Microlight version 0.0.7 from the GitHub repository. Create an HTML file that includes a microlight element with a script generating 100 million characters. Serve the file using a local server and access it through a web browser. The browser will become unresponsive or crash due to memory exhaustion.

Remediation

Users are advised to avoid using Microlight version 0.0.7 in environments where untrusted content may be processed. Implement server-side validation to limit content size in microlight elements. Consider switching to alternative libraries like Prism.js or Highlight.js until a fix is available.