{"id":"CVE-2022-24729","summary":"Regular expression Denial of Service in dialog plugin","details":"CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.","aliases":["BIT-drupal-2022-24728","BIT-drupal-2022-24729","CVE-2022-24728","DRUPAL-CORE-2022-005","GHSA-4fc4-4p5g-6w89","GHSA-f6rf-9m92-x2hh"],"modified":"2026-04-10T04:45:31.170450Z","published":"2022-03-16T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24729.json","cwe_ids":["CWE-400"]},"references":[{"type":"WEB","url":"https://ckeditor.com/cke4/release/CKEditor-4.18.0"},{"type":"WEB","url":"https://www.drupal.org/sa-core-2022-005"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24729.json"},{"type":"ADVISORY","url":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24729"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor4","events":[{"introduced":"769d96134bcf29f5d3d870e25797ce9b9dc8289e"},{"fixed":"5fe059002f8c207df80b44ef999f3d1eec280694"}]}],"versions":["4.0","4.0.0","4.0.1","4.1","4.1.0","4.10.0","4.12.0","4.13.0","4.14.0","4.15.0","4.16.0","4.17.0","4.17.1","4.17.2","4.1rc","4.2","4.2.0","4.2.1","4.2.2","4.2.3","4.4.0","4.4.1","4.5.0","4.5.0-beta","4.6.0","4.7.0","4.8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24729.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"fixed":"b68374146298b7277939e9c3208ab0518ff78d1a"},{"introduced":"698ee686c23de8c97d7e0601cf745b220d54f4e1"},{"fixed":"aabeae28aa10e9a22ca903d140704846c1df161a"},{"introduced":"0"},{"last_affected":"0266059ef71465105aeb687e2d4124f0da46fe9c"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"9.2.15"},{"introduced":"9.3.0"},{"fixed":"9.3.8"},{"introduced":"0"},{"last_affected":"11.3.2"}]}}],"versions":["10.0.0-alpha1","10.0.0-alpha3","10.0.0-alpha4","10.0.0-alpha5","10.1.0-alpha1","11.0.0-alpha1","11.2.0-rc1","11.3.0","11.3.0-alpha1","11.3.0-beta1","11.3.0-rc1","11.3.0-rc2","11.3.1","11.3.2","8.0.0","8.1.0-beta1","9.0.0-alpha1","9.0.0-alpha2","9.2.0","9.2.0-alpha1","9.2.0-beta1","9.2.0-beta2","9.2.0-beta3","9.2.0-rc1","9.2.1","9.2.10","9.2.14","9.2.3","9.2.5","9.2.7","9.2.8","9.3.0","9.3.2","9.3.4","9.3.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24729.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}