CVE-2025-45525

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

CVSS v3 2.9 LOW

2.9^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.4 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424
https://github.com/github/advisory-database/pull/5730

Configurations

No configuration.

History

20 Jun 2025, 12:15

Type	Values Removed	Values Added
Summary		(es) Se descubrió una vulnerabilidad de desreferencia de puntero nulo en microlight.js (versión 0.0.7), una librería ligera de resaltado de sintaxis. Al procesar elementos con valores de color CSS no estándar, la librería no valida el resultado de una coincidencia de expresión regular antes de acceder a sus propiedades, lo que provoca un error de tipo no detectado y un posible bloqueo de la aplicación.
Summary	(en) A null pointer dereference vulnerability was discovered in microlight.js (version 0.0.7), a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash.	(en) A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 2.9
References		() https://github.com/github/advisory-database/pull/5730 -

18 Jun 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CWE		CWE-476

17 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-17 20:15

Updated : 2025-06-20 12:15

NVD link : CVE-2025-45525

Mitre link : CVE-2025-45525

CVE.ORG link : CVE-2025-45525

JSON object : View

Products Affected

No product.

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2025-45525", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.4}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-06-17T20:15:32.150", "references": [{"url": "https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424", "source": "cve@mitre.org"}, {"url": "https://github.com/github/advisory-database/pull/5730", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-476"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de desreferencia de puntero nulo en microlight.js (versi\u00f3n 0.0.7), una librer\u00eda ligera de resaltado de sintaxis. Al procesar elementos con valores de color CSS no est\u00e1ndar, la librer\u00eda no valida el resultado de una coincidencia de expresi\u00f3n regular antes de acceder a sus propiedades, lo que provoca un error de tipo no detectado y un posible bloqueo de la aplicaci\u00f3n."}], "lastModified": "2025-06-20T12:15:21.780", "sourceIdentifier": "cve@mitre.org"}

2.9 /10