Issue #6723✓ SolvedOpened March 5, 2026by tiburciomzt2 reactions
dependenciesbugquestionsecurity

Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore

Quick answerby artf2

Thanks for the report @tiburciomzt The bump was merged and will soon be released.

Read full answer below ↓

Question

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA Describe the bug underscore <=1.13.7 Severity: high underscore <=1.13.7 Severity: high Underscore has unlimited recursion in .flatten and .isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw fix available via npm audit fix --force Will install [email protected], which is a breaking change nodemodules/underscore grapesjs >=0.21.13 Depends on vulnerable versions of underscore nodemodules/grapesjs Code of Conduct [x] I agree to...

Answers (2)

👍 Most helpfulartfMarch 31, 2026

Thanks for the report @tiburciomzt

The bump was merged and will soon be released.

GJS HelperMay 17, 2026

The issue you've reported regarding the underscore vulnerability (GHSA-qpx9-hpmf-5gmw) in grapesjs is valid and concerns a high-severity DoS vulnerability in underscore versions prior to 1.13.8. This vulnerability affects .flatten and .isEqual functions due to unlimited recursion. Root Cause Grapes...

View full discussion on GitHub →

Related Questions and Answers

Continue research with similar issue discussions.

Issue #3443

backbone-undo/underscore security advisory

Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current...

4 answersUpdated July 5, 2021

Issue #6211

Too much recursion

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Firefox 131.0.2 Reproducible demo link htt...

4 answersUpdated October 21, 2024

Issue #5743

XSS vulnerability in iframe attribute src

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://j...

4 answersUpdated March 14, 2024

Issue #5154

TS2416: Property '_up' in type 'PropertyStack' is not assignable to the same property in base type 'PropertyComposite<PropertyStackProps>'

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? ---- Reproducible demo link https://codesa...

4 answersUpdated June 15, 2023

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins →
Premium option

Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.

Browse premium plugins →

Related tutorials

In-depth guides on the same topic.

All tutorials →

Tutorial

Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live

We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.

Tutorial

AutographJS - Signature Solution for Modern Web Editors

The Problem: Signature Capture Is Still Harder Than It Should Be

Tutorial

ScribeJS: Lightweight Inline Rich Text Editor

In the world of web development, rich text editors often feel bulky, slow, and difficult to integrate.

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders