prismjs CVE Vulnerabilities & Metrics

Focus on prismjs vulnerabilities and metrics.

Last updated: 01 Aug 2025, 22:25 UTC

About prismjs Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with prismjs. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total prismjs CVEs: 6
Earliest CVE date: 07 Aug 2020, 17:15 UTC
Latest CVE date: 03 Mar 2025, 07:15 UTC

Latest CVE reference: CVE-2024-53382

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical prismjs CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.42

Max CVSS: 5.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 2
4.0-6.9 4
7.0-8.9 0
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS prismjs CVEs

These are the five CVEs with the highest CVSS scores for prismjs, sorted by severity first and recency.

All CVEs for prismjs

CVE-2024-53382 prismjs vulnerability CVSS: 0 03 Mar 2025, 07:15 UTC

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

CVE-2022-23647 prismjs vulnerability CVSS: 4.3 18 Feb 2022, 15:15 UTC

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

CVE-2021-3801 prismjs vulnerability CVSS: 4.3 15 Sep 2021, 13:15 UTC

prism is vulnerable to Inefficient Regular Expression Complexity

CVE-2021-32723 prismjs vulnerability CVSS: 4.3 28 Jun 2021, 20:15 UTC

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.

CVE-2021-23341 prismjs vulnerability CVSS: 5.0 18 Feb 2021, 16:15 UTC

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

CVE-2020-15138 prismjs vulnerability CVSS: 2.6 07 Aug 2020, 17:15 UTC

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.