Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore
Thanks for the report @tiburciomzt The bump was merged and will soon be released.
Read full answer below ↓Question
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA Describe the bug underscore <=1.13.7 Severity: high underscore <=1.13.7 Severity: high Underscore has unlimited recursion in .flatten and .isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw fix available via npm audit fix --force Will install [email protected], which is a breaking change nodemodules/underscore grapesjs >=0.21.13 Depends on vulnerable versions of underscore nodemodules/grapesjs Code of Conduct [x] I agree to...
Answers (2)
Thanks for the report @tiburciomzt
The bump was merged and will soon be released.
The issue you've reported regarding the underscore vulnerability (GHSA-qpx9-hpmf-5gmw) in grapesjs is valid and concerns a high-severity DoS vulnerability in underscore versions prior to 1.13.8. This vulnerability affects .flatten and .isEqual functions due to unlimited recursion. Root Cause Grapes...
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3443
Backbone-undo/underscore security advisory
Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current...
Issue #6211
Too much recursion
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Firefox 131.0.2 Reproducible demo link htt...
Issue #5743
XSS vulnerability in iframe attribute src
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://j...
Issue #5154
TS2416: Property '_up' in type 'PropertyStack' is not assignable to the same property in base type 'PropertyComposite<PropertyStackProps>'
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? ---- Reproducible demo link https://codesa...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
Lighthouse for GrapesJS: Audit Accessibility and SEO Without Leaving the Editor
Live WCAG 2.1/2.2 accessibility auditor + SEO manager for GrapesJS. Every finding is bound to the exact component — click to select, then one-click fix.
Tutorial
GrapesJS DevTools: A Developer Panel Inside Your Editor
If you've ever debugged GrapesJS with console.log(editor.getSelected()) and a dozen throwaway event listeners — this post is for you.
Tutorial
Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live
We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.