Description
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
Patch, Third Party Advisory x_refsource_misc
https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101
Scores
CVSS v3
5.3
EPSS
0.0215
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
CWE-400
Status
published
Products (2)
markdown-it_project/markdown-it
< 12.3.1
npm/markdown-it
0 - 12.3.2npm
Published
Jan 10, 2022
Tracked Since
Feb 18, 2026