Moderate severityNVD Advisory· Published Jan 10, 2022· Updated Apr 22, 2025

Uncontrolled Resource Consumption in markdown-it

CVE-2022-21670

Description

markdown-it versions before 12.3.2 are vulnerable to a ReDoS via crafted input patterns exceeding 50,000 characters, causing denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

markdown-it versions before 12.3.2 are vulnerable to a ReDoS via crafted input patterns exceeding 50,000 characters, causing denial of service.

Vulnerability

The markdown-it Markdown parser, prior to version 12.3.2, contains a regular expression denial-of-service (ReDoS) vulnerability in the newline rule. Specially crafted patterns with a length greater than 50,000 characters can cause the parser to slow down significantly due to inefficient regex backtracing. The vulnerable code path is triggered when processing input with many trailing spaces before newlines. The issue was fixed in commit ffc49ab46b5b751cd2be0aabb146f2ef84986101 and released in version 12.3.2. [1][3][4]

Exploitation

An attacker with the ability to provide arbitrary Markdown input to a parser instance (e.g., via a web form, file upload, or API endpoint) can craft a payload consisting of many trailing spaces or other matching patterns that cause the regex +$ to backtrack exponentially. No authentication or special privilege is required beyond network access to the service. The attack is triggered simply by rendering the malicious input with markdown-it. [1][3]

Impact

Successful exploitation causes the parser to consume excessive CPU time, leading to a denial-of-service (DoS) condition. The attacker can degrade performance for legitimate users or cause the application to become unresponsive. No data corruption, privilege escalation, or remote code execution is possible; the impact is limited to availability (service disruption). [1][3]

Mitigation

Users should upgrade to markdown-it version 12.3.2 or later, which removes the vulnerable regex and replaces it with an iterative character search. The fix was published on January 10, 2022. There are no known workarounds aside from upgrading, as the vulnerability is inherent to the parser's core rule handling. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog (as of writing). [1][3][4]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
markdown-itnpm	< 12.3.2	12.3.2

Affected products

ghsa-coords
pkg:npm/markdown-it
Range: < 12.3.2
markdown-it/markdown-itv5
Range: < 12.3.2

Patches

ffc49ab46b5b

Fix possible ReDOS in newline rule.

https://github.com/markdown-it/markdown-itVitaly PuzrinJan 8, 2022via ghsa

commit

3 files changed · +15 −2

CHANGELOG.md+5 −0 modified

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [12.3.2] - 2022-01-08
+### Security
+- Fix possible ReDOS in newline rule. Thanks to @MakeNowJust.
+
 
 ## [12.3.1] - 2022-01-07
 ### Fixed
@@ -588,6 +592,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Renamed presets folder (configs -> presets).
 
 
+[12.3.2]: https://github.com/markdown-it/markdown-it/compare/12.3.1...12.3.2
 [12.3.1]: https://github.com/markdown-it/markdown-it/compare/12.3.0...12.3.1
 [12.3.0]: https://github.com/markdown-it/markdown-it/compare/12.2.0...12.3.0
 [12.2.0]: https://github.com/markdown-it/markdown-it/compare/12.1.0...12.2.0

lib/rules_inline/newline.js+6 −2 modified

@@ -6,7 +6,7 @@ var isSpace = require('../common/utils').isSpace;
 
 
 module.exports = function newline(state, silent) {
-  var pmax, max, pos = state.pos;
+  var pmax, max, ws, pos = state.pos;
 
   if (state.src.charCodeAt(pos) !== 0x0A/* \n */) { return false; }
 
@@ -20,7 +20,11 @@ module.exports = function newline(state, silent) {
   if (!silent) {
     if (pmax >= 0 && state.pending.charCodeAt(pmax) === 0x20) {
       if (pmax >= 1 && state.pending.charCodeAt(pmax - 1) === 0x20) {
-        state.pending = state.pending.replace(/ +$/, '');
+        // Find whitespaces tail of pending chars.
+        ws = pmax - 1;
+        while (ws >= 1 && state.pending.charCodeAt(ws - 1) === 0x20) ws--;
+
+        state.pending = state.pending.slice(0, ws);
         state.push('hardbreak', 'br', 0);
       } else {
         state.pending = state.pending.slice(0, -1);

test/pathological.js+4 −0 modified

@@ -138,5 +138,9 @@ describe('Pathological sequences speed', () => {
     it('autolinks <<<<...<<> pattern', async () => {
       await test_pattern('<'.repeat(400000) + '>');
     });
+
+    it('hardbreak whitespaces pattern', async () => {
+      await test_pattern('x' + ' '.repeat(150000) + 'x  \nx');
+    });
   });
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6vfc-qv3f-vr6cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21670ghsaADVISORY
github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101ghsax_refsource_MISCWEB
github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6cghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000