CodeMirror Markdown Mode Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in CodeMirror versions through 5.17.0, specifically within the Markdown mode component. The issue arises from certain regular expressions that exhibit inefficient complexity, allowing specially crafted input to cause catastrophic backtracking. This exploitation can freeze the application or significantly degrade performance. The vulnerability can be triggered remotely in both browser and server-side environments that use CodeMirror's Markdown mode.

Impact

Exploitation of this vulnerability leads to a regular-expression denial-of-service (ReDoS), causing the application to freeze or severely slow down.

Reproduction

The vulnerability can be reproduced by using CodeMirror in Markdown mode and inputting carefully crafted strings that exploit the vulnerable regular expressions. This can be done either through a standalone HTML file that includes CodeMirror and its Markdown mode, or by adding a test case to an existing CodeMirror test suite that checks for performance issues with the same payloads.