markdown-it@2.0.0 vulnerabilities

Markdown-it - modern pluggable markdown parser.

Direct Vulnerabilities

Known vulnerabilities in the markdown-it package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Infinite loop

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input.

How to fix Infinite loop?

Upgrade markdown-it to version 13.0.2 or higher.

<13.0.2
  • L
Regular Expression Denial of Service (ReDoS)

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the cdata pattern in common/html_re.js.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown-it to version 3.0.0 or higher.

<3.0.0
  • M
Regular Expression Denial of Service (ReDoS)

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown-it to version 12.3.2 or higher.

<12.3.2
  • M
Regular Expression Denial of Service (ReDoS)

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing __*_… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown-it to version 10.0.0 or higher.

<10.0.0
  • M
Cross-site Scripting (XSS)

markdown-it is a pluggable markdown parser used for rendering markdown content to html.

Affected versions of the package allowed the use of data: URIs for all mime types by default potentially opening a door for Cross-site Scripting (XSS) attacks.

The fix was introduced in version 4.1.0, whitelisting the following four data types image/gif, image/png, image/jpeg and image/webp while blocking the others by default.

Data URIs enable embedding small files in line in HTML documents, provided in the URL itself. Attackers can craft malicious web pages containing either HTML or script code that utilizes the data URI scheme, allowing them to bypass access controls or steal sensitive information.

An example of data URI used to deliver javascript code. The data holds <script>alert('XSS')</script> tag in base64 encoded format.

[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

How to fix Cross-site Scripting (XSS)?

Upgrade to markdown-it version 4.1.0 or newer.

<4.1.0