VYPR
← All advisories
High severityNVD Advisory· Published May 13, 2019· Updated Aug 4, 2024

CVE-2019-12041

CVE-2019-12041

Description

CVE-2019-12041: Regular Expression Denial of Service (ReDoS) in remarkable 1.7.1 via crafted CDATA sections.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2019-12041: Regular Expression Denial of Service (ReDoS) in remarkable 1.7.1 via crafted CDATA sections.

Vulnerability

CVE-2019-12041 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the remarkable markdown parser, version 1.7.1. The flaw exists in the file lib/common/html_re.js, specifically in the regular expression handling CDATA sections. When processing a crafted CDATA section, the regex can cause catastrophic backtracking, leading to excessive CPU consumption [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted markdown document containing a malicious CDATA section to an application that uses remarkable. No authentication is required; the attack can be triggered simply by parsing the input. The vulnerable regex pattern leads to exponential time complexity when matching certain invalid inputs, causing the parser to hang or take an extremely long time to complete [2][3].

Impact

Successful exploitation results in a denial of service condition. The application becomes unresponsive due to high CPU usage, potentially affecting all users relying on the service. This can be leveraged to disrupt operations or as part of a larger attack chain.

Mitigation

The vulnerability was addressed in a pull request (#335) merged into the remarkable repository on July 26, 2019, and is fixed in versions after 1.7.1 [1][4]. Users should update to the latest version of remarkable to mitigate this risk. There are no known workarounds besides upgrading.

References
  1. Prevent a ReDoS vulnerability by dominykas · Pull Request #335 · jonschlinkert/remarkable
  2. Snyk Vulnerability Database | Snyk
  3. NVD - CVE-2019-12041
  4. Prevent a ReDoS vulnerability (#335) · jonschlinkert/remarkable@287dfbf

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
remarkablenpm
< 1.7.21.7.2

Affected products

2

Patches

1
287dfbf22e70

Prevent a ReDoS vulnerability (#335)

https://github.com/jonschlinkert/remarkableDominykas BlyžėJul 27, 2019via ghsa
commit
2 files changed · +13 2
  • lib/common/html_re.js+2 2 modified
    @@ -41,10 +41,10 @@ var open_tag    = replace(/<[A-Za-z][A-Za-z0-9]*attribute*\s*\/?>/)
                     ();
 
 var close_tag   = /<\/[A-Za-z][A-Za-z0-9]*\s*>/;
-var comment     = /<!--([^-]+|[-][^-]+)*-->/;
+var comment     = /<!---->|<!--(?:-?[^>-])(?:-?[^-])*-->/;
 var processing  = /<[?].*?[?]>/;
 var declaration = /<![A-Z]+\s+[^>]*>/;
-var cdata       = /<!\[CDATA\[([^\]]+|\][^\]]|\]\][^>])*\]\]>/;
+var cdata       = /<!\[CDATA\[[\s\S]*?\]\]>/;
 
 var HTML_TAG_RE = replace(/^(?:open_tag|close_tag|comment|processing|declaration|cdata)/)
   ('open_tag', open_tag)
  • test/fixtures/remarkable/redos.txt+11 0 added
    @@ -0,0 +1,11 @@
+.
+<a>ReDoS</a><![CDATA[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]] >
+.
+<p><a>ReDoS</a>&lt;![CDATA[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]] &gt;</p>
+.
+
+.
+<a>z</a><!--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa--->
+.
+<p><a>z</a>&lt;!–aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa—&gt;</p>
+.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.