CVE-2025-45525

low-risk

Published 2025-06-17

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.9/10 Low

LOCAL / HIGH complexity

References (2)

https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424

https://github.com/github/advisory-database/pull/5730

/ 100

low-risk

Severity 8/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal