Skip to content

Possible ReDOS in newline rule

Moderate
puzrin published GHSA-6vfc-qv3f-vr6c Jan 8, 2022

Package

npm markdown-it (npm)

Affected versions

<=12.3.1

Patched versions

12.3.2

Description

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: ffc49ab

Severity

Moderate

CVE ID

CVE-2022-21670

Weaknesses

No CWEs

Credits