CVE-2019-25102 – simple-markdown

Package

Manager: npm
Name: simple-markdown
Vulnerable Version: >=0 <0.6.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0008 pctl0.24315

Details

Regular Expression Denial of Service in simple-markdown A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdown.js. The manipulation with the input <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.6.1 is able to address this issue. The name of the patch is 015a719bf5cdc561feea05500ecb3274ef609cd2. It is recommended to upgrade the affected component. VDB-220638 is the identifier assigned to this vulnerability.

Metadata

Created: 2023-02-12T15:30:25Z
Modified: 2023-02-22T16:31:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-j533-2g8v-pmpg/GHSA-j533-2g8v-pmpg.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-j533-2g8v-pmpg
Finding: F211
Auto approve: 1