Main Vulnerability Database SB2022010804

SB2022010804 - Inefficient regular expression complexity in markdown-it

Published: January 8, 2022 Updated: April 24, 2026

Security Bulletin ID SB2022010804

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Partial DoS

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Inefficient regular expression complexity (CVE-ID: CVE-2022-21670)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in newline rule when parsing specially crafted markdown input. A remote attacker can send specially crafted input to cause a denial of service.

Inputs containing special patterns with lengths greater than 50,000 characters can significantly slow down the parser.

Remediation

Install update from vendor's website.

References

https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
https://github.com/advisories/GHSA-6vfc-qv3f-vr6c