{"id":"CVE-2020-7760","details":"This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*","aliases":["GHSA-4gw3-8f77-f72c"],"modified":"2026-04-10T04:28:14.564971Z","published":"2020-10-30T11:15:12.633Z","related":["SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450","SNYK-JAVA-ORGWEBJARS-1024449","SNYK-JAVA-ORGWEBJARSBOWER-1024445","SNYK-JAVA-ORGWEBJARSBOWERGITHUBCODEMIRROR-1024448","SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446","SNYK-JAVA-ORGWEBJARSNPM-1024447","SNYK-JS-CODEMIRROR-1016937"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4789"},{"type":"FIX","url":"https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1024447"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCODEMIRROR-1024448"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1024449"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1024445"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/codemirror/codemirror5","events":[{"introduced":"0"},{"fixed":"264022ee4af4abca1c158944dc299a8faf8696d6"},{"fixed":"55d0333907117c9231ffdf555ae8824705993bbb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.58.2"}]}}],"versions":["3.13.0","3.14.0","3.15.0","3.16.0","3.17.0","3.18.0","3.19.0","3.20.0","3.21.0","4.0.1","4.0.2","4.0.3","4.1.0","4.10.0","4.12.0","4.13.0","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","4.8.0","4.9.0","5.0.0","5.1.0","5.10.0","5.11.0","5.12.0","5.13.0","5.13.2","5.14.0","5.14.2","5.15.0","5.15.2","5.16.0","5.17.0","5.18.0","5.18.2","5.19.0","5.2.0","5.20.0","5.20.2","5.21.0","5.22.0","5.23.0","5.24.0","5.24.2","5.25.0","5.25.2","5.26.0","5.27.0","5.27.2","5.27.4","5.28.0","5.29.0","5.3.0","5.30.0","5.31.0","5.32.0","5.33.0","5.34.0","5.35.0","5.36.0","5.37.0","5.38.0","5.39.0","5.39.2","5.4.0","5.40.0","5.40.2","5.41.0","5.42.0","5.43.0","5.44.0","5.45.0","5.46.0","5.47.0","5.48.0","5.48.2","5.48.4","5.49.0","5.49.2","5.5.0","5.50.0","5.50.2","5.51.0","5.52.0","5.52.2","5.53.0","5.53.2","5.54.0","5.55.0","5.56.0","5.57.0","5.58.0","5.58.1","5.6.0","5.7.0","5.8.0","5.9.0","beta1","beta2","v2.0","v2.01","v2.02","v2.1","v2.11","v2.12","v2.13","v2.14","v2.15","v2.16","v2.17","v2.18","v2.2","v2.21","v2.22","v2.23","v2.24","v2.25","v2.3","v2.31","v2.32","v2.33","v3.0","v3.01","v3.0beta1","v3.0beta2","v3.0rc1","v3.0rc2","v3.1","v3.11","v3.12","v4_beta1","v4_beta2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"20.2"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]},{"events":[{"introduced":"0"},{"last_affected":"21.2"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.9.0"}]},{"events":[{"introduced":"0"},{"fixed":"19.1.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7760.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}