Impact A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the "codesample" plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the "codesample" plugin using TinyMCE 5.5.1 or lower. Patches This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability. Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.6.0 or higher - Disable the "codesample" plugin - Disable ruby code samples using the "codesample_languages" (https://www.tiny.cloud/docs/plugins/opensource/codesample/#exampleusingcodesample_languages) setting - Override the PrismJS syntax highlighter to version 1.21.0 or higher using the "codesample_global_prismjs" (https://www.tiny.cloud/docs/plugins/opensource/codesample/#codesample_global_prismjs) setting Acknowledgements Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability. References https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes For more information If you have any questions or comments about this advisory: * Open an issue in the "TinyMCE repo" (http://github.com/tinymce/tinymce/issues) * Email us at "infosec@tiny.cloud" (mailto:infosec@tiny.cloud)