GHSA-6vfc-qv3f-vr6c

Source

https://github.com/advisories/GHSA-6vfc-qv3f-vr6c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-6vfc-qv3f-vr6c/GHSA-6vfc-qv3f-vr6c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6vfc-qv3f-vr6c

Aliases

CVE-2022-21670

Published

2022-01-12T22:20:22Z

Modified

2023-11-08T04:08:07.059316Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Uncontrolled Resource Consumption in markdown-it

Details

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

Database specific

{
    "github_reviewed_at": "2022-01-10T21:50:05Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "nvd_published_at": "2022-01-10T21:15:00Z",
    "github_reviewed": true
}

References

Affected packages

npm / markdown-it

Package

Name: markdown-it; View open source insights on deps.dev
Purl: pkg:npm/markdown-it

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.3.2