Skip to content

Uncontrolled Resource Consumption in markdown-it

moderate severity GitHub Reviewed Published Jan 12, 2022 in markdown-it/markdown-it

Package

npm markdown-it (npm)

Affected versions

< 12.3.2

Patched versions

12.3.2

Description

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: markdown-it/markdown-it@ffc49ab

References

@puzrin puzrin published the maintainer security advisory Jan 8, 2022

CVE ID

CVE-2022-21670

CVSS Score

5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Credits