High severityNVD Advisory· Published Feb 12, 2023· Updated Aug 5, 2024

simple-markdown simple-markdown.js redos

CVE-2019-25102

Description

simple-markdown 0.6.0 has a ReDoS vulnerability in autolink parsing via crafted input, patched in 0.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

simple-markdown 0.6.0 has a ReDoS vulnerability in autolink parsing via crafted input, patched in 0.6.1.

Overview

CVE-2019-25102 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the simple-markdown JavaScript library, version 0.6.0. The flaw resides in an unknown function within simple-markdown.js that processes autolink patterns. When a malicious input such as <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ is supplied, the regular expression responsible for parsing autolinks enters a state of catastrophic backtracking, resulting in exponentially increasing processing time [1][2][3].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. By sending a specially crafted string to any application that uses simple-markdown 0.6.0 to parse markdown input, the regular expression engine can be forced into excessive computation. This can cause the application to hang or become unresponsive, effectively denying service to legitimate users [2]. The exploit has been publicly disclosed, increasing the risk of active exploitation [2].

Impact

Successful exploitation leads to a denial of service condition. The application may become unresponsive or crash due to resource exhaustion, impacting availability. No other impact (such as data breach or code execution) has been associated with this vulnerability. The CVSS vector has not yet been fully assessed by NVD, but the flaw is classified as problematic and considered a security concern [2].

Mitigation

The vulnerability is patched in version 0.6.1, with the fix identified by commit 015a719bf5cdc561feea05500ecb3274ef609cd2 [1][4]. Users are strongly advised to upgrade to simple-markdown 0.6.1 or later. No workarounds have been provided for earlier versions. The repository has since moved to a new location under the Perseus project [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
simple-markdownnpm	< 0.6.1	0.6.1

Affected products

simple-markdown/simple-markdowndescription
ghsa-coords
pkg:npm/simple-markdown
Range: < 0.6.1

Patches

a6308532fca8

v0.6.1: #73 Fix ReDoS with autolink

https://github.com/ariabuckles/simple-markdownAria BucklesOct 24, 2019via osv

commit

2 files changed · +2 −2

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "simple-markdown",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Javascript markdown parsing, made simple",
   "main": "simple-markdown.js",
   "scripts": {

simple-markdown.min.js+1 −1 modified

@@ -1 +1 @@
-!function(){var s,o,t,n,r,d,h,e,a=/\r\n?/g,l=/\t/g,u=/\f/g,c=function(e){return e.replace(a,"\n").replace(u,"").replace(l,"    ")},i=function(e,t){var n=e||{};if(null!=t)for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(n[r]=t[r]);return n},f=function(m,n){var y,g=Object.keys(m).filter(function(e){var t=m[e];if(null==t||null==t.match)return!1;var n=t.order;return"number"==typeof n&&isFinite(n)||"undefined"==typeof console||console.warn("simple-markdown: Invalid order for rule `"+e+"`: "+String(n)),!0});g.sort(function(e,t){var n=m[e],r=m[t],a=n.order,l=r.order;if(a!==l)return a-l;var u=n.quality?0:1,o=r.quality?0:1;return u!==o?u-o:e<t?-1:t<e?1:0});var v=function(e,t){var n=[];for(y=t=t||y;e;){var r=null,a=null,l=null,u=NaN,o=0,c=g[0],i=m[c];do{var f=i.order,p=null==t.prevCapture?"":t.prevCapture[0],s=i.match(e,t,p);if(s){var d=i.quality?i.quality(s,t,p):0;d<=u||(r=c,a=i,l=s,u=d)}c=g[++o],i=m[c]}while(i&&(!l||i.order===f&&i.quality));if(!0!==t.disableErrorGuards){if(null==a||null==l)throw new Error("Could not find a matching rule for the below content. The rule with highest `order` should always match content provided to it. Check the definition of `match` for '"+g[g.length-1]+"'. It seems to not match the following source:\n"+e);if(0!==l.index&&e.slice(0,l[0].length)!==l[0])throw new Error("`match` must return a capture starting at index 0 (the current parse index). Did you forget a ^ at the start of the RegExp?")}var h=a.parse(l,v,t);Array.isArray(h)?Array.prototype.push.apply(n,h):(null==h.type&&(h.type=r),n.push(h)),t.prevCapture=l,e=e.substring(t.prevCapture[0].length)}return n};return function(e,t){return(y=i(t,n)).inline||y.disableAutoBlockNewlines||(e+="\n\n"),y.prevCapture=null,v(c(e),y)}},p=function(n){var e=function(e,t){return t.inline?n.exec(e):null};return e.regex=n,e},m=function(n){var e=function(e,t){return t.inline?null:n.exec(e)};return e.regex=n,e},y=function(n){var e=function(e,t){return n.exec(e)};return e.regex=n,e},g="function"==typeof Symbol&&Symbol.for&&Symbol.for("react.element")||60103,v=function(e,t,n){return{$$typeof:g,type:e,key:t,ref:null,props:n,_owner:null}},k=function(e,t,n,r){n=n||{},r=void 0===r||r;var a="";for(var l in n){var u=n[l];Object.prototype.hasOwnProperty.call(n,l)&&u&&(a+=" "+E(l)+'="'+E(u)+'"')}var o="<"+e+a+">";return r?o+t+"</"+e+">":o},x={},w=function(e){if(null==e)return null;try{var t=decodeURIComponent(e).replace(/[^A-Za-z0-9/:]/g,"").toLowerCase();if(0===t.indexOf("javascript:")||0===t.indexOf("vbscript:")||0===t.indexOf("data:"))return null}catch(e){return null}return e},b=/[<>&"']/g,_={"<":"&lt;",">":"&gt;","&":"&amp;",'"':"&quot;","'":"&#x27;","/":"&#x2F;","`":"&#96;"},E=function(e){return String(e).replace(b,function(e){return _[e]})},S=/\\([^0-9A-Za-z\s])/g,R=function(e){return e.replace(S,"$1")},A=function(e,t,n){var r=n.inline||!1;n.inline=!0;var a=e(t,n);return n.inline=r,a},$=function(e,t,n){return{content:A(t,e[1],n)}},O=function(){return{}},T="(?:[*+-]|\\d+\\.)",C="( *)("+T+") +",P=new RegExp("^"+C),j=new RegExp(C+"[^\\n]*(?:\\n(?!\\1"+T+" )[^\\n]*)*(\n|$)","gm"),q=/\n{2,}$/,B=/^ (?= *`)|(` *) $/g,F=q,N=/ *\n+$/,I=new RegExp("^( *)("+T+") [\\s\\S]+?(?:\n{2,}(?! )(?!\\1"+T+" )\\n*|\\s*\n*$)"),L=/(?:^|\n)( *)$/,z=(s=/^ *\| *| *\| *$/g,o=/ *$/,t=/^ *-+: *$/,n=/^ *:-+: *$/,r=/^ *:-+ *$/,d=function(e){return t.test(e)?"right":n.test(e)?"center":r.test(e)?"left":null},h=function(e,t,n,r){var a=n.inTable;n.inTable=!0;var l=t(e.trim(),n);n.inTable=a;var u=[[]];return l.forEach(function(e,t){"tableSeparator"===e.type?(!r||0!==t&&t!==l.length-1)&&u.push([]):("text"!==e.type||null!=l[t+1]&&"tableSeparator"!==l[t+1].type||(e.content=e.content.replace(o,"")),u[u.length-1].push(e))}),u},{parseTable:(e=function(p){return function(e,t,n){n.inline=!0;var r,a,l,u,o,c=h(e[1],t,n,p),i=(r=e[2],p&&(r=r.replace(s,"")),r.trim().split("|").map(d)),f=(a=e[3],l=t,u=n,o=p,a.trim().split("\n").map(function(e){return h(e,l,u,o)}));return n.inline=!1,{type:"table",header:c,align:i,cells:f}}})(!0),parseNpTable:e(!1),TABLE_REGEX:/^ *(\|.+)\n *\|( *[-:]+[-| :]*)\n((?: *\|.*(?:\n|$))*)\n*/,NPTABLE_REGEX:/^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/}),G="(?:\\[[^\\]]*\\]|[^\\[\\]]|\\](?=[^\\[]*\\]))*",X="\\s*<?((?:[^\\s\\\\]|\\\\.)*?)>?(?:\\s+['\"]([\\s\\S]*?)['\"])?\\s*",Z=/mailto:/i,M=function(e,t,n){var r=(e[2]||e[1]).replace(/\s+/g," ").toLowerCase();if(t._defs&&t._defs[r]){var a=t._defs[r];n.target=a.target,n.title=a.title}return t._refs=t._refs||{},t._refs[r]=t._refs[r]||[],t._refs[r].push(n),n},U=0,H={Array:{react:function(e,t,n){for(var r=n.key,a=[],l=0,u=0;l<e.length;l++,u++){n.key=""+l;var o=e[l];if("text"===o.type)for(o={type:"text",content:o.content};l+1<e.length&&"text"===e[l+1].type;l++)o.content+=e[l+1].content;a.push(t(o,n))}return n.key=r,a},html:function(e,t,n){for(var r="",a=0;a<e.length;a++){var l=e[a];if("text"===l.type)for(l={type:"text",content:l.content};a+1<e.length&&"text"===e[a+1].type;a++)l.content+=e[a+1].content;r+=t(l,n)}return r}},heading:{order:U++,match:m(/^ *(#{1,6})([^\n]+?)#* *(?:\n *)+\n/),parse:function(e,t,n){return{level:e[1].length,content:A(t,e[2].trim(),n)}},react:function(e,t,n){return v("h"+e.level,n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("h"+e.level,t(e.content,n))}},nptable:{order:U++,match:m(z.NPTABLE_REGEX),parse:z.parseNpTable,react:null,html:null},lheading:{order:U++,match:m(/^([^\n]+)\n *(=|-){3,} *(?:\n *)+\n/),parse:function(e,t,n){return{type:"heading",level:"="===e[2]?1:2,content:A(t,e[1],n)}},react:null,html:null},hr:{order:U++,match:m(/^( *[-*_]){3,} *(?:\n *)+\n/),parse:O,react:function(e,t,n){return v("hr",n.key,x)},html:function(e,t,n){return"<hr>"}},codeBlock:{order:U++,match:m(/^(?:    [^\n]+\n*)+(?:\n *)+\n/),parse:function(e,t,n){return{lang:void 0,content:e[0].replace(/^    /gm,"").replace(/\n+$/,"")}},react:function(e,t,n){var r=e.lang?"markdown-code-"+e.lang:void 0;return v("pre",n.key,{children:v("code",null,{className:r,children:e.content})})},html:function(e,t,n){var r=e.lang?"markdown-code-"+e.lang:void 0,a=k("code",E(e.content),{class:r});return k("pre",a)}},fence:{order:U++,match:m(/^ *(`{3,}|~{3,}) *(?:(\S+) *)?\n([\s\S]+?)\n?\1 *(?:\n *)+\n/),parse:function(e,t,n){return{type:"codeBlock",lang:e[2]||void 0,content:e[3]}},react:null,html:null},blockQuote:{order:U++,match:m(/^( *>[^\n]+(\n[^\n]+)*\n*)+\n{2,}/),parse:function(e,t,n){return{content:t(e[0].replace(/^ *> ?/gm,""),n)}},react:function(e,t,n){return v("blockquote",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("blockquote",t(e.content,n))}},list:{order:U++,match:function(e,t){var n=null==t.prevCapture?"":t.prevCapture[0],r=L.exec(n),a=t._list||!t.inline;return r&&a?(e=r[1]+e,I.exec(e),I.exec(e)):null},parse:function(e,s,d){var t=e[2],n=1<t.length,r=n?+t:void 0,h=e[0].replace(F,"\n").match(j),m=!1;return{ordered:n,start:r,items:h.map(function(e,t){var n=P.exec(e),r=n?n[0].length:0,a=new RegExp("^ {1,"+r+"}","gm"),l=e.replace(a,"").replace(P,""),u=t===h.length-1,o=-1!==l.indexOf("\n\n")||u&&m;m=o;var c,i=d.inline,f=d._list;d._list=!0,c=o?(d.inline=!1,l.replace(N,"\n\n")):(d.inline=!0,l.replace(N,""));var p=s(c,d);return d.inline=i,d._list=f,p})}},react:function(e,n,r){var t=e.ordered?"ol":"ul";return v(t,r.key,{start:e.start,children:e.items.map(function(e,t){return v("li",""+t,{children:n(e,r)})})})},html:function(e,t,n){var r=e.items.map(function(e){return k("li",t(e,n))}).join(""),a=e.ordered?"ol":"ul",l={start:e.start};return k(a,r,l)}},def:{order:U++,match:m(/^ *\[([^\]]+)\]: *<?([^\s>]*)>?(?: +["(]([^\n]+)[")])? *\n(?: *\n)*/),parse:function(e,t,n){var r=e[1].replace(/\s+/g," ").toLowerCase(),a=e[2],l=e[3];return n._refs&&n._refs[r]&&n._refs[r].forEach(function(e){e.target=a,e.title=l}),n._defs=n._defs||{},n._defs[r]={target:a,title:l},{def:r,target:a,title:l}},react:function(){return null},html:function(){return""}},table:{order:U++,match:m(z.TABLE_REGEX),parse:z.parseTable,react:function(t,n,r){var a=function(e){return null==t.align[e]?{}:{textAlign:t.align[e]}},e=t.header.map(function(e,t){return v("th",""+t,{style:a(t),scope:"col",children:n(e,r)})}),l=t.cells.map(function(e,t){return v("tr",""+t,{children:e.map(function(e,t){return v("td",""+t,{style:a(t),children:n(e,r)})})})});return v("table",r.key,{children:[v("thead","thead",{children:v("tr",null,{children:e})}),v("tbody","tbody",{children:l})]})},html:function(t,n,r){var a=function(e){return null==t.align[e]?"":"text-align:"+t.align[e]+";"},e=t.header.map(function(e,t){return k("th",n(e,r),{style:a(t),scope:"col"})}).join(""),l=t.cells.map(function(e){var t=e.map(function(e,t){return k("td",n(e,r),{style:a(t)})}).join("");return k("tr",t)}).join(""),u=k("thead",k("tr",e)),o=k("tbody",l);return k("table",u+o)}},newline:{order:U++,match:m(/^(?:\n *)*\n/),parse:O,react:function(e,t,n){return"\n"},html:function(e,t,n){return"\n"}},paragraph:{order:U++,match:m(/^((?:[^\n]|\n(?! *\n))+)(?:\n *)+\n/),parse:$,react:function(e,t,n){return v("div",n.key,{className:"paragraph",children:t(e.content,n)})},html:function(e,t,n){return k("div",t(e.content,n),{class:"paragraph"})}},escape:{order:U++,match:p(/^\\([^0-9A-Za-z\s])/),parse:function(e,t,n){return{type:"text",content:e[1]}},react:null,html:null},tableSeparator:{order:U++,match:function(e,t){return t.inTable?/^ *\| */.exec(e):null},parse:function(){return{type:"tableSeparator"}},react:function(){return" | "},html:function(){return" &vert; "}},autolink:{order:U++,match:p(/^<([^ >]+:\/[^ >]+)>/),parse:function(e,t,n){return{type:"link",content:[{type:"text",content:e[1]}],target:e[1]}},react:null,html:null},mailto:{order:U++,match:p(/^<([^ >]+@[^ >]+)>/),parse:function(e,t,n){var r=e[1],a=e[1];return Z.test(a)||(a="mailto:"+a),{type:"link",content:[{type:"text",content:r}],target:a}},react:null,html:null},url:{order:U++,match:p(/^(https?:\/\/[^\s<]+[^<.,:;"')\]\s])/),parse:function(e,t,n){return{type:"link",content:[{type:"text",content:e[1]}],target:e[1],title:void 0}},react:null,html:null},link:{order:U++,match:p(new RegExp("^\\[("+G+")\\]\\("+X+"\\)")),parse:function(e,t,n){return{content:t(e[1],n),target:R(e[2]),title:e[3]}},react:function(e,t,n){return v("a",n.key,{href:w(e.target),title:e.title,children:t(e.content,n)})},html:function(e,t,n){var r={href:w(e.target),title:e.title};return k("a",t(e.content,n),r)}},image:{order:U++,match:p(new RegExp("^!\\[("+G+")\\]\\("+X+"\\)")),parse:function(e,t,n){return{alt:e[1],target:R(e[2]),title:e[3]}},react:function(e,t,n){return v("img",n.key,{src:w(e.target),alt:e.alt,title:e.title})},html:function(e,t,n){var r={src:w(e.target),alt:e.alt,title:e.title};return k("img","",r,!1)}},reflink:{order:U++,match:p(new RegExp("^\\[("+G+")\\]\\s*\\[([^\\]]*)\\]")),parse:function(e,t,n){return M(e,n,{type:"link",content:t(e[1],n)})},react:null,html:null},refimage:{order:U++,match:p(new RegExp("^!\\[("+G+")\\]\\s*\\[([^\\]]*)\\]")),parse:function(e,t,n){return M(e,n,{type:"image",alt:e[1]})},react:null,html:null},em:{order:U,match:p(new RegExp("^\\b_((?:__|\\\\[\\s\\S]|[^\\\\_])+?)_\\b|^\\*(?=\\S)((?:\\*\\*|\\\\[\\s\\S]|\\s+(?:\\\\[\\s\\S]|[^\\s\\*\\\\]|\\*\\*)|[^\\s\\*\\\\])+?)\\*(?!\\*)")),quality:function(e){return e[0].length+.2},parse:function(e,t,n){return{content:t(e[2]||e[1],n)}},react:function(e,t,n){return v("em",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("em",t(e.content,n))}},strong:{order:U,match:p(/^\*\*((?:\\[\s\S]|[^\\])+?)\*\*(?!\*)/),quality:function(e){return e[0].length+.1},parse:$,react:function(e,t,n){return v("strong",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("strong",t(e.content,n))}},u:{order:U++,match:p(/^__((?:\\[\s\S]|[^\\])+?)__(?!_)/),quality:function(e){return e[0].length},parse:$,react:function(e,t,n){return v("u",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("u",t(e.content,n))}},del:{order:U++,match:p(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),parse:$,react:function(e,t,n){return v("del",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("del",t(e.content,n))}},inlineCode:{order:U++,match:p(/^(`+)([\s\S]*?[^`])\1(?!`)/),parse:function(e,t,n){return{content:e[2].replace(B,"$1")}},react:function(e,t,n){return v("code",n.key,{children:e.content})},html:function(e,t,n){return k("code",E(e.content))}},br:{order:U++,match:y(/^ {2,}\n/),parse:O,react:function(e,t,n){return v("br",n.key,x)},html:function(e,t,n){return"<br>"}},text:{order:U++,match:y(/^[\s\S]+?(?=[^0-9A-Za-z\s\u00c0-\uffff]|\n\n| {2,}\n|\w+:\S|$)/),parse:function(e,t,n){return{content:e[0]}},react:function(e,t,n){return e.content},html:function(e,t,n){return E(e.content)}}},D=function(n,r,a){if(!r)throw new Error("simple-markdown: outputFor: `property` must be defined. if you just upgraded, you probably need to replace `outputFor` with `reactFor`");var l,u=n.Array||H.Array,o=function(e,t){return l=t=t||l,Array.isArray(e)?u[r](e,o,t):n[e.type][r](e,o,t)};return function(e,t){return l=i(t,a),o(e,l)}},Q=f(H),J=function(e,t){return(t=t||{}).inline=!1,Q(e,t)},K=function(e,t){var n=q.test(e);return(t=t||{}).inline=!n,Q(e,t)},V=D(H,"react"),W=D(H,"html"),Y=function(e,t){return V(J(e,t),t)},ee={defaultRules:H,parserFor:f,outputFor:D,inlineRegex:p,blockRegex:m,anyScopeRegex:y,parseInline:A,parseBlock:function(e,t,n){var r=n.inline||!1;n.inline=!1;var a=e(t+"\n\n",n);return n.inline=r,a},markdownToReact:Y,markdownToHtml:function(e,t){return W(J(e,t),t)},ReactMarkdown:function(e){var t={};for(var n in e)"source"!==n&&Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t.children=Y(e.source),v("div",null,t)},defaultBlockParse:J,defaultInlineParse:function(e,t){return(t=t||{}).inline=!0,Q(e,t)},defaultImplicitParse:K,defaultReactOutput:V,defaultHtmlOutput:W,preprocess:c,sanitizeText:E,sanitizeUrl:w,unescapeUrl:R,htmlTag:k,reactElement:v,defaultRawParse:Q,ruleOutput:function(r,a){return a||"undefined"==typeof console||console.warn("simple-markdown ruleOutput should take 'react' or 'html' as the second argument."),function(e,t,n){return r[e.type][a](e,t,n)}},reactFor:function(o){var c=function(e,t){if(t=t||{},Array.isArray(e)){for(var n=t.key,r=[],a=null,l=0;l<e.length;l++){t.key=""+l;var u=c(e[l],t);"string"==typeof u&&"string"==typeof a?(a+=u,r[r.length-1]=a):(r.push(u),a=u)}return t.key=n,r}return o(e,c,t)};return c},htmlFor:function(n){var r=function(e,t){return t=t||{},Array.isArray(e)?e.map(function(e){return r(e,t)}).join(""):n(e,r,t)};return r},defaultParse:function(){return"undefined"!=typeof console&&console.warn("defaultParse is deprecated, please use `defaultImplicitParse`"),K.apply(null,arguments)},defaultOutput:function(){return"undefined"!=typeof console&&console.warn("defaultOutput is deprecated, please use `defaultReactOutput`"),V.apply(null,arguments)}};"undefined"!=typeof module&&module.exports?module.exports=ee:"undefined"!=typeof global?global.SimpleMarkdown=ee:window.SimpleMarkdown=ee}();
\ No newline at end of file
+!function(){var s,o,t,n,r,d,h,e,a=/\r\n?/g,l=/\t/g,u=/\f/g,c=function(e){return e.replace(a,"\n").replace(u,"").replace(l,"    ")},i=function(e,t){var n=e||{};if(null!=t)for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(n[r]=t[r]);return n},f=function(m,n){var y,g=Object.keys(m).filter(function(e){var t=m[e];if(null==t||null==t.match)return!1;var n=t.order;return"number"==typeof n&&isFinite(n)||"undefined"==typeof console||console.warn("simple-markdown: Invalid order for rule `"+e+"`: "+String(n)),!0});g.sort(function(e,t){var n=m[e],r=m[t],a=n.order,l=r.order;if(a!==l)return a-l;var u=n.quality?0:1,o=r.quality?0:1;return u!==o?u-o:e<t?-1:t<e?1:0});var v=function(e,t){var n=[];for(y=t=t||y;e;){var r=null,a=null,l=null,u=NaN,o=0,c=g[0],i=m[c];do{var f=i.order,p=null==t.prevCapture?"":t.prevCapture[0],s=i.match(e,t,p);if(s){var d=i.quality?i.quality(s,t,p):0;d<=u||(r=c,a=i,l=s,u=d)}c=g[++o],i=m[c]}while(i&&(!l||i.order===f&&i.quality));if(!0!==t.disableErrorGuards){if(null==a||null==l)throw new Error("Could not find a matching rule for the below content. The rule with highest `order` should always match content provided to it. Check the definition of `match` for '"+g[g.length-1]+"'. It seems to not match the following source:\n"+e);if(0!==l.index&&e.slice(0,l[0].length)!==l[0])throw new Error("`match` must return a capture starting at index 0 (the current parse index). Did you forget a ^ at the start of the RegExp?")}var h=a.parse(l,v,t);Array.isArray(h)?Array.prototype.push.apply(n,h):(null==h.type&&(h.type=r),n.push(h)),t.prevCapture=l,e=e.substring(t.prevCapture[0].length)}return n};return function(e,t){return(y=i(t,n)).inline||y.disableAutoBlockNewlines||(e+="\n\n"),y.prevCapture=null,v(c(e),y)}},p=function(n){var e=function(e,t){return t.inline?n.exec(e):null};return e.regex=n,e},m=function(n){var e=function(e,t){return t.inline?null:n.exec(e)};return e.regex=n,e},y=function(n){var e=function(e,t){return n.exec(e)};return e.regex=n,e},g="function"==typeof Symbol&&Symbol.for&&Symbol.for("react.element")||60103,v=function(e,t,n){return{$$typeof:g,type:e,key:t,ref:null,props:n,_owner:null}},k=function(e,t,n,r){n=n||{},r=void 0===r||r;var a="";for(var l in n){var u=n[l];Object.prototype.hasOwnProperty.call(n,l)&&u&&(a+=" "+E(l)+'="'+E(u)+'"')}var o="<"+e+a+">";return r?o+t+"</"+e+">":o},x={},w=function(e){if(null==e)return null;try{var t=decodeURIComponent(e).replace(/[^A-Za-z0-9/:]/g,"").toLowerCase();if(0===t.indexOf("javascript:")||0===t.indexOf("vbscript:")||0===t.indexOf("data:"))return null}catch(e){return null}return e},b=/[<>&"']/g,_={"<":"&lt;",">":"&gt;","&":"&amp;",'"':"&quot;","'":"&#x27;","/":"&#x2F;","`":"&#96;"},E=function(e){return String(e).replace(b,function(e){return _[e]})},S=/\\([^0-9A-Za-z\s])/g,R=function(e){return e.replace(S,"$1")},A=function(e,t,n){var r=n.inline||!1;n.inline=!0;var a=e(t,n);return n.inline=r,a},$=function(e,t,n){return{content:A(t,e[1],n)}},O=function(){return{}},T="(?:[*+-]|\\d+\\.)",C="( *)("+T+") +",P=new RegExp("^"+C),j=new RegExp(C+"[^\\n]*(?:\\n(?!\\1"+T+" )[^\\n]*)*(\n|$)","gm"),q=/\n{2,}$/,B=/^ (?= *`)|(` *) $/g,F=q,N=/ *\n+$/,I=new RegExp("^( *)("+T+") [\\s\\S]+?(?:\n{2,}(?! )(?!\\1"+T+" )\\n*|\\s*\n*$)"),L=/(?:^|\n)( *)$/,z=(s=/^ *\| *| *\| *$/g,o=/ *$/,t=/^ *-+: *$/,n=/^ *:-+: *$/,r=/^ *:-+ *$/,d=function(e){return t.test(e)?"right":n.test(e)?"center":r.test(e)?"left":null},h=function(e,t,n,r){var a=n.inTable;n.inTable=!0;var l=t(e.trim(),n);n.inTable=a;var u=[[]];return l.forEach(function(e,t){"tableSeparator"===e.type?(!r||0!==t&&t!==l.length-1)&&u.push([]):("text"!==e.type||null!=l[t+1]&&"tableSeparator"!==l[t+1].type||(e.content=e.content.replace(o,"")),u[u.length-1].push(e))}),u},{parseTable:(e=function(p){return function(e,t,n){n.inline=!0;var r,a,l,u,o,c=h(e[1],t,n,p),i=(r=e[2],p&&(r=r.replace(s,"")),r.trim().split("|").map(d)),f=(a=e[3],l=t,u=n,o=p,a.trim().split("\n").map(function(e){return h(e,l,u,o)}));return n.inline=!1,{type:"table",header:c,align:i,cells:f}}})(!0),parseNpTable:e(!1),TABLE_REGEX:/^ *(\|.+)\n *\|( *[-:]+[-| :]*)\n((?: *\|.*(?:\n|$))*)\n*/,NPTABLE_REGEX:/^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/}),G="(?:\\[[^\\]]*\\]|[^\\[\\]]|\\](?=[^\\[]*\\]))*",X="\\s*<?((?:[^\\s\\\\]|\\\\.)*?)>?(?:\\s+['\"]([\\s\\S]*?)['\"])?\\s*",Z=/mailto:/i,M=function(e,t,n){var r=(e[2]||e[1]).replace(/\s+/g," ").toLowerCase();if(t._defs&&t._defs[r]){var a=t._defs[r];n.target=a.target,n.title=a.title}return t._refs=t._refs||{},t._refs[r]=t._refs[r]||[],t._refs[r].push(n),n},U=0,H={Array:{react:function(e,t,n){for(var r=n.key,a=[],l=0,u=0;l<e.length;l++,u++){n.key=""+l;var o=e[l];if("text"===o.type)for(o={type:"text",content:o.content};l+1<e.length&&"text"===e[l+1].type;l++)o.content+=e[l+1].content;a.push(t(o,n))}return n.key=r,a},html:function(e,t,n){for(var r="",a=0;a<e.length;a++){var l=e[a];if("text"===l.type)for(l={type:"text",content:l.content};a+1<e.length&&"text"===e[a+1].type;a++)l.content+=e[a+1].content;r+=t(l,n)}return r}},heading:{order:U++,match:m(/^ *(#{1,6})([^\n]+?)#* *(?:\n *)+\n/),parse:function(e,t,n){return{level:e[1].length,content:A(t,e[2].trim(),n)}},react:function(e,t,n){return v("h"+e.level,n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("h"+e.level,t(e.content,n))}},nptable:{order:U++,match:m(z.NPTABLE_REGEX),parse:z.parseNpTable,react:null,html:null},lheading:{order:U++,match:m(/^([^\n]+)\n *(=|-){3,} *(?:\n *)+\n/),parse:function(e,t,n){return{type:"heading",level:"="===e[2]?1:2,content:A(t,e[1],n)}},react:null,html:null},hr:{order:U++,match:m(/^( *[-*_]){3,} *(?:\n *)+\n/),parse:O,react:function(e,t,n){return v("hr",n.key,x)},html:function(e,t,n){return"<hr>"}},codeBlock:{order:U++,match:m(/^(?:    [^\n]+\n*)+(?:\n *)+\n/),parse:function(e,t,n){return{lang:void 0,content:e[0].replace(/^    /gm,"").replace(/\n+$/,"")}},react:function(e,t,n){var r=e.lang?"markdown-code-"+e.lang:void 0;return v("pre",n.key,{children:v("code",null,{className:r,children:e.content})})},html:function(e,t,n){var r=e.lang?"markdown-code-"+e.lang:void 0,a=k("code",E(e.content),{class:r});return k("pre",a)}},fence:{order:U++,match:m(/^ *(`{3,}|~{3,}) *(?:(\S+) *)?\n([\s\S]+?)\n?\1 *(?:\n *)+\n/),parse:function(e,t,n){return{type:"codeBlock",lang:e[2]||void 0,content:e[3]}},react:null,html:null},blockQuote:{order:U++,match:m(/^( *>[^\n]+(\n[^\n]+)*\n*)+\n{2,}/),parse:function(e,t,n){return{content:t(e[0].replace(/^ *> ?/gm,""),n)}},react:function(e,t,n){return v("blockquote",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("blockquote",t(e.content,n))}},list:{order:U++,match:function(e,t){var n=null==t.prevCapture?"":t.prevCapture[0],r=L.exec(n),a=t._list||!t.inline;return r&&a?(e=r[1]+e,I.exec(e),I.exec(e)):null},parse:function(e,s,d){var t=e[2],n=1<t.length,r=n?+t:void 0,h=e[0].replace(F,"\n").match(j),m=!1;return{ordered:n,start:r,items:h.map(function(e,t){var n=P.exec(e),r=n?n[0].length:0,a=new RegExp("^ {1,"+r+"}","gm"),l=e.replace(a,"").replace(P,""),u=t===h.length-1,o=-1!==l.indexOf("\n\n")||u&&m;m=o;var c,i=d.inline,f=d._list;d._list=!0,c=o?(d.inline=!1,l.replace(N,"\n\n")):(d.inline=!0,l.replace(N,""));var p=s(c,d);return d.inline=i,d._list=f,p})}},react:function(e,n,r){var t=e.ordered?"ol":"ul";return v(t,r.key,{start:e.start,children:e.items.map(function(e,t){return v("li",""+t,{children:n(e,r)})})})},html:function(e,t,n){var r=e.items.map(function(e){return k("li",t(e,n))}).join(""),a=e.ordered?"ol":"ul",l={start:e.start};return k(a,r,l)}},def:{order:U++,match:m(/^ *\[([^\]]+)\]: *<?([^\s>]*)>?(?: +["(]([^\n]+)[")])? *\n(?: *\n)*/),parse:function(e,t,n){var r=e[1].replace(/\s+/g," ").toLowerCase(),a=e[2],l=e[3];return n._refs&&n._refs[r]&&n._refs[r].forEach(function(e){e.target=a,e.title=l}),n._defs=n._defs||{},n._defs[r]={target:a,title:l},{def:r,target:a,title:l}},react:function(){return null},html:function(){return""}},table:{order:U++,match:m(z.TABLE_REGEX),parse:z.parseTable,react:function(t,n,r){var a=function(e){return null==t.align[e]?{}:{textAlign:t.align[e]}},e=t.header.map(function(e,t){return v("th",""+t,{style:a(t),scope:"col",children:n(e,r)})}),l=t.cells.map(function(e,t){return v("tr",""+t,{children:e.map(function(e,t){return v("td",""+t,{style:a(t),children:n(e,r)})})})});return v("table",r.key,{children:[v("thead","thead",{children:v("tr",null,{children:e})}),v("tbody","tbody",{children:l})]})},html:function(t,n,r){var a=function(e){return null==t.align[e]?"":"text-align:"+t.align[e]+";"},e=t.header.map(function(e,t){return k("th",n(e,r),{style:a(t),scope:"col"})}).join(""),l=t.cells.map(function(e){var t=e.map(function(e,t){return k("td",n(e,r),{style:a(t)})}).join("");return k("tr",t)}).join(""),u=k("thead",k("tr",e)),o=k("tbody",l);return k("table",u+o)}},newline:{order:U++,match:m(/^(?:\n *)*\n/),parse:O,react:function(e,t,n){return"\n"},html:function(e,t,n){return"\n"}},paragraph:{order:U++,match:m(/^((?:[^\n]|\n(?! *\n))+)(?:\n *)+\n/),parse:$,react:function(e,t,n){return v("div",n.key,{className:"paragraph",children:t(e.content,n)})},html:function(e,t,n){return k("div",t(e.content,n),{class:"paragraph"})}},escape:{order:U++,match:p(/^\\([^0-9A-Za-z\s])/),parse:function(e,t,n){return{type:"text",content:e[1]}},react:null,html:null},tableSeparator:{order:U++,match:function(e,t){return t.inTable?/^ *\| */.exec(e):null},parse:function(){return{type:"tableSeparator"}},react:function(){return" | "},html:function(){return" &vert; "}},autolink:{order:U++,match:p(/^<([^: >]+:\/[^ >]+)>/),parse:function(e,t,n){return{type:"link",content:[{type:"text",content:e[1]}],target:e[1]}},react:null,html:null},mailto:{order:U++,match:p(/^<([^ >]+@[^ >]+)>/),parse:function(e,t,n){var r=e[1],a=e[1];return Z.test(a)||(a="mailto:"+a),{type:"link",content:[{type:"text",content:r}],target:a}},react:null,html:null},url:{order:U++,match:p(/^(https?:\/\/[^\s<]+[^<.,:;"')\]\s])/),parse:function(e,t,n){return{type:"link",content:[{type:"text",content:e[1]}],target:e[1],title:void 0}},react:null,html:null},link:{order:U++,match:p(new RegExp("^\\[("+G+")\\]\\("+X+"\\)")),parse:function(e,t,n){return{content:t(e[1],n),target:R(e[2]),title:e[3]}},react:function(e,t,n){return v("a",n.key,{href:w(e.target),title:e.title,children:t(e.content,n)})},html:function(e,t,n){var r={href:w(e.target),title:e.title};return k("a",t(e.content,n),r)}},image:{order:U++,match:p(new RegExp("^!\\[("+G+")\\]\\("+X+"\\)")),parse:function(e,t,n){return{alt:e[1],target:R(e[2]),title:e[3]}},react:function(e,t,n){return v("img",n.key,{src:w(e.target),alt:e.alt,title:e.title})},html:function(e,t,n){var r={src:w(e.target),alt:e.alt,title:e.title};return k("img","",r,!1)}},reflink:{order:U++,match:p(new RegExp("^\\[("+G+")\\]\\s*\\[([^\\]]*)\\]")),parse:function(e,t,n){return M(e,n,{type:"link",content:t(e[1],n)})},react:null,html:null},refimage:{order:U++,match:p(new RegExp("^!\\[("+G+")\\]\\s*\\[([^\\]]*)\\]")),parse:function(e,t,n){return M(e,n,{type:"image",alt:e[1]})},react:null,html:null},em:{order:U,match:p(new RegExp("^\\b_((?:__|\\\\[\\s\\S]|[^\\\\_])+?)_\\b|^\\*(?=\\S)((?:\\*\\*|\\\\[\\s\\S]|\\s+(?:\\\\[\\s\\S]|[^\\s\\*\\\\]|\\*\\*)|[^\\s\\*\\\\])+?)\\*(?!\\*)")),quality:function(e){return e[0].length+.2},parse:function(e,t,n){return{content:t(e[2]||e[1],n)}},react:function(e,t,n){return v("em",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("em",t(e.content,n))}},strong:{order:U,match:p(/^\*\*((?:\\[\s\S]|[^\\])+?)\*\*(?!\*)/),quality:function(e){return e[0].length+.1},parse:$,react:function(e,t,n){return v("strong",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("strong",t(e.content,n))}},u:{order:U++,match:p(/^__((?:\\[\s\S]|[^\\])+?)__(?!_)/),quality:function(e){return e[0].length},parse:$,react:function(e,t,n){return v("u",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("u",t(e.content,n))}},del:{order:U++,match:p(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),parse:$,react:function(e,t,n){return v("del",n.key,{children:t(e.content,n)})},html:function(e,t,n){return k("del",t(e.content,n))}},inlineCode:{order:U++,match:p(/^(`+)([\s\S]*?[^`])\1(?!`)/),parse:function(e,t,n){return{content:e[2].replace(B,"$1")}},react:function(e,t,n){return v("code",n.key,{children:e.content})},html:function(e,t,n){return k("code",E(e.content))}},br:{order:U++,match:y(/^ {2,}\n/),parse:O,react:function(e,t,n){return v("br",n.key,x)},html:function(e,t,n){return"<br>"}},text:{order:U++,match:y(/^[\s\S]+?(?=[^0-9A-Za-z\s\u00c0-\uffff]|\n\n| {2,}\n|\w+:\S|$)/),parse:function(e,t,n){return{content:e[0]}},react:function(e,t,n){return e.content},html:function(e,t,n){return E(e.content)}}},D=function(n,r,a){if(!r)throw new Error("simple-markdown: outputFor: `property` must be defined. if you just upgraded, you probably need to replace `outputFor` with `reactFor`");var l,u=n.Array||H.Array,o=function(e,t){return l=t=t||l,Array.isArray(e)?u[r](e,o,t):n[e.type][r](e,o,t)};return function(e,t){return l=i(t,a),o(e,l)}},Q=f(H),J=function(e,t){return(t=t||{}).inline=!1,Q(e,t)},K=function(e,t){var n=q.test(e);return(t=t||{}).inline=!n,Q(e,t)},V=D(H,"react"),W=D(H,"html"),Y=function(e,t){return V(J(e,t),t)},ee={defaultRules:H,parserFor:f,outputFor:D,inlineRegex:p,blockRegex:m,anyScopeRegex:y,parseInline:A,parseBlock:function(e,t,n){var r=n.inline||!1;n.inline=!1;var a=e(t+"\n\n",n);return n.inline=r,a},markdownToReact:Y,markdownToHtml:function(e,t){return W(J(e,t),t)},ReactMarkdown:function(e){var t={};for(var n in e)"source"!==n&&Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t.children=Y(e.source),v("div",null,t)},defaultBlockParse:J,defaultInlineParse:function(e,t){return(t=t||{}).inline=!0,Q(e,t)},defaultImplicitParse:K,defaultReactOutput:V,defaultHtmlOutput:W,preprocess:c,sanitizeText:E,sanitizeUrl:w,unescapeUrl:R,htmlTag:k,reactElement:v,defaultRawParse:Q,ruleOutput:function(r,a){return a||"undefined"==typeof console||console.warn("simple-markdown ruleOutput should take 'react' or 'html' as the second argument."),function(e,t,n){return r[e.type][a](e,t,n)}},reactFor:function(o){var c=function(e,t){if(t=t||{},Array.isArray(e)){for(var n=t.key,r=[],a=null,l=0;l<e.length;l++){t.key=""+l;var u=c(e[l],t);"string"==typeof u&&"string"==typeof a?(a+=u,r[r.length-1]=a):(r.push(u),a=u)}return t.key=n,r}return o(e,c,t)};return c},htmlFor:function(n){var r=function(e,t){return t=t||{},Array.isArray(e)?e.map(function(e){return r(e,t)}).join(""):n(e,r,t)};return r},defaultParse:function(){return"undefined"!=typeof console&&console.warn("defaultParse is deprecated, please use `defaultImplicitParse`"),K.apply(null,arguments)},defaultOutput:function(){return"undefined"!=typeof console&&console.warn("defaultOutput is deprecated, please use `defaultReactOutput`"),V.apply(null,arguments)}};"undefined"!=typeof module&&module.exports?module.exports=ee:"undefined"!=typeof global?global.SimpleMarkdown=ee:window.SimpleMarkdown=ee}();
\ No newline at end of file

015a719bf5cd

Fix ReDoS with autolink

https://github.com/ariabuckles/simple-markdownAlcaroSep 25, 2019via ghsa

commit PR #73

1 file changed · +1 −1

simple-markdown.js+1 −1 modified

@@ -1316,7 +1316,7 @@ var defaultRules /* : DefaultRules */ = {
     },
     autolink: {
         order: currOrder++,
-        match: inlineRegex(/^<([^ >]+:\/[^ >]+)>/),
+        match: inlineRegex(/^<([^: >]+:\/[^ >]+)>/),
         parse: function(capture, parse, state) {
             return {
                 type: "link",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ariabuckles/simple-markdown/commit/015a719bf5cdc561feea05500ecb3274ef609cd2ghsapatchWEB
github.com/ariabuckles/simple-markdown/releases/tag/0.6.1ghsapatchWEB
github.com/ariabuckles/simple-markdown/pull/73ghsaexploitissue-trackingWEB
github.com/advisories/GHSA-j533-2g8v-pmpgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-25102ghsaADVISORY
vuldb.comghsasignaturepermissions-requiredWEB
vuldb.comghsavdb-entrytechnical-descriptionWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000