markdown-it html_re.js redos
Description
markdown-it before version 3.0.0 contains a ReDoS vulnerability in lib/common/html_re.js caused by an inefficient regular expression.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
markdown-it before version 3.0.0 contains a ReDoS vulnerability in lib/common/html_re.js caused by an inefficient regular expression.
Vulnerability
Overview
CVE-2015-10005 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the markdown-it library, affecting versions up to and including 2.x. The flaw resides in an unknown function within the file lib/common/html_re.js, where the manipulation of certain inputs leads to inefficient regular expression complexity [1]. This classification as "problematic" indicates that the issue can degrade performance under specific conditions, potentially causing the library to consume excessive CPU resources when processing crafted input.
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must supply a specially crafted Markdown document to an application using an affected version of markdown-it. Since markdown-it is a parser used in many web applications, blog engines, and content management systems, the attacker may not need any authentication if the application accepts user-supplied Markdown content. The attack vector is network-based, as the crafted payload can be sent via a web form, API endpoint, or any other means by which user input is processed by the parser.
Impact
Successful exploitation results in a denial of service condition. The application could become unresponsive or take an extremely long time to process the malicious input, effectively hanging the server or consuming its resources. While there is no evidence of arbitrary code execution or data exfiltration, the availability impact can be significant for services that rely on markdown-it to render user-generated content.
Mitigation
The vulnerability is fully addressed in markdown-it version 3.0.0, which includes a fix in commit 89c8620157d6e38f9872811620d25138fc9d1b0d [3][4]. Users are strongly advised to upgrade to version 3.0.0 or later. No workarounds have been documented, and the vendor has confirmed that upgrading is the recommended course of action [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markdown-itnpm | < 3.0.0 | 3.0.0 |
Affected products
2- Range: 2.x
Patches
189c8620157d6cdata regexp fix
1 file changed · +1 −1
lib/common/html_re.js+1 −1 modified@@ -46,7 +46,7 @@ var close_tag = /<\/[A-Za-z][A-Za-z0-9]*\s*>/; var comment = /<!--[\s\S]*?-->/; var processing = /<[?].*?[?]>/; var declaration = /<![A-Z]+\s+[^>]*>/; -var cdata = /<!\[CDATA\[([^\]]+|\][^\]]|\]\][^>])*\]\]>/; +var cdata = /<!\[CDATA\[[\s\S]*?\]\]>/; var HTML_TAG_RE = replace(/^(?:open_tag|close_tag|comment|processing|declaration|cdata)/) ('open_tag', open_tag)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/markdown-it/markdown-it/commit/89c8620157d6e38f9872811620d25138fc9d1b0dghsapatchWEB
- github.com/markdown-it/markdown-it/releases/tag/3.0.0ghsapatchWEB
- github.com/advisories/GHSA-j5p7-jf4q-742qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-10005ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entryWEB
News mentions
0No linked articles in our index yet.