Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsing

Description

Showdownjs, versions <= 2.1.0, anchors subparser used to parse links has a nested regular expression which can lead to denial of service conditions given malicious input.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.1.0

References

• GHSA-rmmh-p597-ppvv
• www.tenable.com
• CVE-2024-1899
• CWE-674
• CWE-777
• CAPEC-310
• OWASP 2021-A6

Related Issues

• parse-uri Regular expression Denial of Service (ReDoS) - CVE-2024-36751
• jspdf vulnerable to Regular Expression Denial of Service (ReDoS) - CVE-2021-23353
• es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens` - CVE-2024-27088
• html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

showdown