Mixmark-io Turndown Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Mixmark-io Turndown versions through 7.2.1. The issue resides in the file 'src/commonmark-rules.js', where certain regular expressions can cause catastrophic backtracking. This vulnerability can be exploited remotely, leading to a significant increase in computation time and causing the application to hang.

Impact

Exploitation of this vulnerability causes the application to become unresponsive, effectively hanging the process.

Reproduction

The vulnerability can be reproduced by using a long, crafted string that 'almost' matches the vulnerable regular expression patterns. This can be done by creating a string with a large number of newline characters followed by a character that disrupts the match, such as an exclamation mark. When this string is processed by the Turndown library, the regular expression engine will experience catastrophic backtracking, causing a severe slowdown or freeze of the application.

Remediation

Users are advised to update to a version of Mixmark-io Turndown that has addressed this vulnerability. The specific fix involves replacing the vulnerable regular expression patterns with a logical approach that avoids backtracking, as detailed in the vulnerability report.