[GHSA-38c4-r59v-3vqw] markdown-it is has a Regular Expression Denial of Service (ReDoS)

[cai0duque]

Updates

• CVSS v3
• CVSS v4
• Description
• Severity

Comments
Updated the CVSS score to reflect High Availability impact (VA:H). Since markdown-it is widely used in Node.js (single-threaded) environments, a ReDoS vulnerability typically blocks the event loop, causing a complete denial of service for the application, not just a minor slowdown. Expanded the description to mention the impact on both server and client environments.

[Copilot]

Pull request overview

This PR updates a security advisory for a ReDoS vulnerability in the markdown-it package. The update increases the severity assessment from MODERATE to HIGH based on the significant impact of ReDoS vulnerabilities in Node.js environments, where they block the event loop and cause complete service denial.

Changes:

• Updated CVSS v4 score to reflect High Availability impact (VA:H instead of VA:L)
• Removed CVSS v3 score entirely
• Changed severity classification from MODERATE to HIGH
• Enhanced the vulnerability description to clarify impact on both server-side (Node.js) and client-side (browser) environments

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The summary contains a grammatical error. The phrase "markdown-it is has" should be "markdown-it has" (removing the extra "is").

Suggested change

	"summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)",
	"summary": "markdown-it has a Regular Expression Denial of Service (ReDoS)",

[Copilot]

The modified timestamp was updated to "2026-02-13T20:04:40Z" but the github_reviewed_at timestamp on line 70 remains "2026-02-13T20:04:39Z". These timestamps should typically match or the modified timestamp should be later than github_reviewed_at. Consider updating the github_reviewed_at timestamp to match the modified timestamp.

Suggested change

	"github_reviewed_at": "2026-02-13T20:04:39Z",
	"github_reviewed_at": "2026-02-13T20:04:40Z",

[shelbyc]

Hi @cai0duque, I'm going to keep the CVSS at CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P and CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L because I think the CNA, Snyk, was correct in its assessment of the severity of GHSA-38c4-r59v-3vqw.

For more detail: In CVSS 4.0, denial of service can lead to a low availability impact if the denial of service causes only temporary disruption. https://www.first.org/cvss/v4.0/specification-document#Base-Metrics has more detail in section 2.2.7, "Table 10: Availability Impact to the Vulnerable System (VA):"

Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System.