Vitaly Puzrin

4 exploits Active since Jun 2017
CVE-2026-48988 WRITEUP MEDIUM WRITEUP
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.
CVSS 5.3
CVE-2026-2327 WRITEUP MEDIUM WRITEUP
markdown-it 13.0.0-14.1.0 - Regular Expression Denial of Service via Linkify Function
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
CVSS 5.3
CVE-2015-3295 WRITEUP MEDIUM WRITEUP
markdown-it < 4.1.0 - Improper Access Control via Data URL Handling
markdown-it before 4.1.0 does not block data: URLs.
CVSS 5.3
CVE-2022-21670 WRITEUP MEDIUM WRITEUP
markdown-it <1.3.2 - Info Disclosure
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
CVSS 5.3