markdown-it Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the markdown-it package, affecting versions 13.0.0 prior to 14.1.1. The issue arises in the linkify function, where the regex '/\*+$/' is used. This regex, which includes a greedy quantifier and an end-of-string anchor, can be exploited by an attacker who sends a long string of '*' characters followed by a non-matching character. Such input causes excessive backtracking in the regex engine, potentially leading to a denial-of-service condition by consuming a significant amount of CPU resources.

Impact

Exploitation of this vulnerability can cause high CPU usage, leading to a denial-of-service condition where the application becomes unresponsive or slow.

Reproduction

To reproduce this vulnerability, install the markdown-it package and use it with the linkify option enabled. Then, input a URL string that includes a long sequence of '*' characters followed by a non-matching character, such as 'https://test.com?' + '*'.repeat(70000) + 'a'. This will trigger the vulnerable regex, causing the application to slow down significantly as it processes the input.

Remediation

Upgrade markdown-it to version 14.1.1 or higher.