SAPUI5 and OpenUI5 Denial-of-Service Vulnerability via Outdated Markdown-it Library

A denial-of-service vulnerability has been identified in SAPUI5 and OpenUI5 packages that utilize an outdated version of the markdown-it library, which contains known security flaws. The issue arises when markdown-it processes certain specially crafted input, leading to improper termination and causing an infinite loop. This loop results in excessive CPU consumption and unresponsiveness, as a processing thread becomes blocked. While the vulnerability does not affect confidentiality or integrity, it significantly disrupts system availability.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing high CPU usage and system unresponsiveness by blocking a processing thread.

Remediation

Users are advised to consult the SAP Security Notes for guidance on addressing this vulnerability. SAP Security Notes can be accessed through the SAP for Me platform, where users can find the complete list of security updates and patches. For specific patching instructions, refer to the SAP Security Notes FAQs.