Incorrect vulnerability details

[kellyselden]

Vulnerability URL
Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/sonatype-2020-1579

Component URL
Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:npm/prismjs

Description
According to PrismJS/prism#2584, this was fixed in 1.23.0.

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

Deep dive research determined the fix provided by the project to be insufficient and this has been stated in the Advisory deviation notice in the explanation.

The Sonatype security research team discovered that the fix for this vulnerability provided in version 1.23.0 was incomplete and that it is still possible to trigger catastrophic backtracking with a larger input in versions 1.23.0 and later. The developers suggested on this issue that they would not provide additional fixes for this vulnerability.

[kellyselden]

Thanks for the context!