Description
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function.
Recommendation
Update the markdown-it package to the latest compatible version. Followings are version details:
- Affected version(s): >= 13.0.0, < 14.1.1
- Patched version(s): 14.1.1
References
Related Issues
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- jspdf vulnerable to Regular Expression Denial of Service (ReDoS) - CVE-2021-23353
- Regular Expression Denial of Service (ReDoS) in ua-parser-js - CVE-2021-27292
- Tags:
- npm
- markdown-it
Anything's wrong? Let us know Last updated on February 13, 2026