Skip to content

[GHSA-38c4-r59v-3vqw] markdown-it is has a Regular Expression Denial of Service (ReDoS) #6928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cai0duque wants to merge 1 commit into from
Closed

[GHSA-38c4-r59v-3vqw] markdown-it is has a Regular Expression Denial of Service (ReDoS) #6928

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 4 additions & 8 deletions advisories/github-reviewed/2026/02/GHSA-38c4-r59v-3vqw/GHSA-38c4-r59v-3vqw.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,17 @@
{
"schema_version": "1.4.0",
"id": "GHSA-38c4-r59v-3vqw",
"modified": "2026-02-13T20:04:39Z",
"modified": "2026-02-13T20:04:40Z",
"published": "2026-02-12T06:30:13Z",
"aliases": [
"CVE-2026-2327"
],
"summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)",
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The summary contains a grammatical error. The phrase "markdown-it is has" should be "markdown-it has" (removing the extra "is").

Suggested change
"summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)",
"summary": "markdown-it has a Regular Expression Denial of Service (ReDoS)",

Copilot uses AI. Check for mistakes.
"details": "Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.",
"details": "markdown-it versions from 13.0.0 before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) in the `linkify` rule. An attacker can supply a crafted input string (specifically a long sequence of `*` characters followed by a non-matching character) that triggers catastrophic backtracking in the regex used for link validation.\n\nThis vulnerability affects both server-side (Node.js) deployments, where it can lead to complete service denial by exhausting the CPU event loop, and client-side (browser) implementations, potentially freezing the user's interface.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
Expand Down Expand Up @@ -69,7 +65,7 @@
"cwe_ids": [
"CWE-1333"
],
"severity": "MODERATE",
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2026-02-13T20:04:39Z",
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The modified timestamp was updated to "2026-02-13T20:04:40Z" but the github_reviewed_at timestamp on line 70 remains "2026-02-13T20:04:39Z". These timestamps should typically match or the modified timestamp should be later than github_reviewed_at. Consider updating the github_reviewed_at timestamp to match the modified timestamp.

Suggested change
"github_reviewed_at": "2026-02-13T20:04:39Z",
"github_reviewed_at": "2026-02-13T20:04:40Z",

Copilot uses AI. Check for mistakes.
"nvd_published_at": "2026-02-12T06:16:02Z"
Expand Down
Loading