Outdated Markdown Library Can Be Used to Slow Down or Crash Your App
Your application uses a version of a popular text-formatting library (markdown-it) that contains a flaw in how it processes certain text patterns. If your app lets users submit markdown content — such as comments, notes, or documentation — someone could craft a specially formatted message that causes your server to work extremely hard processing it, potentially slowing down or making your app unavailable to other users. A fix is available and is a straightforward upgrade.
Business Impact And Actions
medium urgencyBusiness Impact
If your app accepts user-submitted text that gets processed as markdown, this flaw could be exploited to degrade performance or cause temporary outages. This could affect customer experience, trigger uptime SLA violations, and in regulated environments may be flagged during security audits. The risk is limited to availability — no customer data is exposed by this vulnerability.
What To Do
- Ask your developer to upgrade the markdown-it package to version 14.1.1 or later — this is typically a 30-minute task.
- If an immediate upgrade isn't possible, ask your developer to add input length limits on any fields where users can submit markdown text.
- Check whether the markdown processing happens on your server or only in the browser — server-side processing carries higher risk.
- After the upgrade, ask your developer to confirm the new version is in place by checking your project's dependency file (package.json).
markdown-it 13.0.0–14.1.0 ReDoS via Catastrophic Backtracking in linkify (CVE-2026-2327)
medium severity CVSS 6.5-6.9Vulnerability Explanation
The markdown-it linkify function uses the regular expression /\*+$/ to match trailing asterisks when auto-linking URLs. This pattern is susceptible to catastrophic backtracking: when the regex engine is fed a long sequence of asterisk characters followed by a non-matching character, it must exhaustively explore an exponentially growing number of possible match paths before concluding there is no match. Because JavaScript's regex engine uses backtracking-based NFA evaluation, this causes CPU time to grow super-linearly with input length. An attacker who can submit markdown input to any endpoint that calls markdown-it with linkify enabled can trigger this condition with a simple crafted string.
Root Cause
The vulnerable regex /\*+$/ uses a greedy quantifier (+) on a character class that can match the same characters in multiple ways when combined with the end-of-string anchor ($). When the input contains a long run of asterisks that ultimately does not match the full pattern, the engine backtracks through all possible groupings of those asterisks before failing — a classic catastrophic backtracking pattern. The fix in 14.1.1 replaces or rewrites this regex to eliminate the ambiguous quantifier structure.
Technical Impact
An unauthenticated remote attacker can cause excessive CPU consumption on the server by submitting a crafted markdown payload (e.g., a long string of asterisks followed by a non-matching character). This can degrade application responsiveness or cause a denial-of-service condition for all users. No data confidentiality or integrity impact — this is a pure availability vulnerability.
Severity Justification
CVSS 4.0 base score of 6.9 per published advisory. Network-accessible, no authentication required, low attack complexity, but impact is limited to availability (no confidentiality or integrity impact). Exploitability depends on whether the application exposes markdown processing to untrusted input with linkify enabled.
Affected Components
markdown-it >= 13.0.0 && < 14.1.1
Remediation Steps
- Upgrade markdown-it to version 14.1.1 or later: run `npm install markdown-it@latest` or pin to `"markdown-it": "^14.1.1"` in package.json.
- If you cannot upgrade immediately, disable the linkify option when instantiating markdown-it: `const md = markdownit({ linkify: false })`. This removes the vulnerable code path entirely.
- Add server-side input length validation on any endpoint that processes markdown. Reject or truncate inputs exceeding a reasonable limit (e.g., 50,000 characters) before they reach the parser.
- Apply rate limiting to markdown-rendering endpoints to reduce the blast radius of any attempted abuse.
Verification Steps
- Run `npm list markdown-it` in your project root and confirm the installed version is 14.1.1 or higher.
- Check your package.json and package-lock.json (or yarn.lock) to confirm the resolved version is not within the vulnerable range (>= 13.0.0 && < 14.1.1).
- If you have automated tests, add a test that passes a string of 10,000 asterisks followed by 'X' to your markdown renderer and asserts it completes within a reasonable timeout (e.g., 500ms).
Code Examples (javascript)
// Vulnerable: markdown-it 13.0.0 – 14.1.0 with linkify enabled
import markdownit from 'markdown-it'
const md = markdownit({ linkify: true }) // linkify uses the vulnerable /\*+$/ regex
const output = md.render(userInput) // attacker can supply '***...***X' to trigger ReDoS// Fixed option 1: upgrade to markdown-it >= 14.1.1 (regex patched upstream)
// package.json: "markdown-it": "^14.1.1"
import markdownit from 'markdown-it'
const md = markdownit({ linkify: true }) // safe in 14.1.1+
// Fixed option 2: disable linkify if not needed (removes vulnerable code path entirely)
const md = markdownit({ linkify: false })Best Practices
- Pin or range-lock third-party dependencies and run `npm audit` (or equivalent) in CI to catch known vulnerabilities before they reach production.
- Apply input length limits at the API layer before content reaches any parser — this limits the worst-case cost of any ReDoS-class vulnerability.
- Prefer atomic or possessive quantifiers, or use a linear-time regex engine, when writing custom regular expressions that process untrusted input.
- Run markdown rendering in a worker thread or with a CPU timeout so that a slow regex cannot block your main event loop.
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free