org.webjars.npm:markdown-it@12.0.6 vulnerabilities

latest version

14.1.0
latest non vulnerable version

14.1.0
first published

8 years ago
latest version published

2 months ago
licenses detected
- MIT
  [4.3.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:markdown-it package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Infinite loop org.webjars.npm:markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input. How to fix Infinite loop? Upgrade `org.webjars.npm:markdown-it` to version 14.1.0 or higher.	[,14.1.0)
M Regular Expression Denial of Service (ReDoS) org.webjars.npm:markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `/s+$/` in line 23 of `lib/rules_inline/newline.js`. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as `markdown-it` handles `Markdown`, would be passed over the network, resulting in significant computational time. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.webjars.npm:markdown-it` to version 12.3.2 or higher.	[,12.3.2)

Infinite loop

org.webjars.npm:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input.

How to fix Infinite loop?

Upgrade org.webjars.npm:markdown-it to version 14.1.0 or higher.

[,14.1.0)

Regular Expression Denial of Service (ReDoS)

org.webjars.npm:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.webjars.npm:markdown-it to version 12.3.2 or higher.

[,12.3.2)

Go back to all versions of this package

org.webjars.npm:markdown-it@12.0.6 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities