CVE-2019-25102 — Regex Denial of Service in Simple-markdown

CWE-1333 — Regex Denial of Service3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Khanacademy Simple-markdown

Timeline

PublishedFeb 12

Description

A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdown.js. The manipulation with the input <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.6.1 is able to address this issue. The patch is identified as 015a719bf5cdc561feea05500ecb3274ef609c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶npmkhanacademy/simple-markdown< 0.6.1

▶NVDkhanacademy/simple-markdown0.6.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Regular Expression Denial of Service in simple-markdown↗2023-02-12

▶

GHSA

Regular Expression Denial of Service in simple-markdown↗2023-02-12

▶