npm package
markdown-it
pkg:npm/markdown-it
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48988 | — | < 14.2.0 | 14.2.0 | Jun 15, 2026 | ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea | ||
| CVE-2026-2327 | — | >= 13.0.0, < 14.1.1 | 14.1.1 | Feb 12, 2026 | Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character | ||
| CVE-2015-10005 | — | < 3.0.0 | 3.0.0 | Dec 27, 2022 | A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this is | ||
| CVE-2022-21670 | — | < 12.3.2 | 12.3.2 | Jan 10, 2022 | markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading. |
- CVE-2026-48988Jun 15, 2026affected < 14.2.0fixed 14.2.0
### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea
- CVE-2026-2327Feb 12, 2026affected >= 13.0.0, < 14.1.1fixed 14.1.1
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character
- CVE-2015-10005Dec 27, 2022affected < 3.0.0fixed 3.0.0
A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this is
- CVE-2022-21670Jan 10, 2022affected < 12.3.2fixed 12.3.2
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.