org.webjars.bowergithub.markdown-it:markdown-it@8.4.1 vulnerabilities

org.webjars.bowergithub.markdown-it:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input.

A fix was pushed into the master branch but not yet published.

org.webjars.bowergithub.markdown-it:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

There is no fixed version for org.webjars.bowergithub.markdown-it:markdown-it.

org.webjars.bowergithub.markdown-it:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing __*_… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input.

There is no fixed version for org.webjars.bowergithub.markdown-it:markdown-it.