markdown-it@4.1.0 vulnerabilities

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input.

Upgrade markdown-it to version 13.0.2 or higher.

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

Upgrade markdown-it to version 12.3.2 or higher.

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing __*_… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input.

Upgrade markdown-it to version 10.0.0 or higher.

markdown-it is a modern pluggable markdown parser.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via Class Injection.

The markdown-it renderer blindly appends the character class to the language- part of the tag. If there is a space in the language name, it'll be rendered into two separate classes.

\`\`\`
foo bar
code
\`\`\`

will be rendered into

<pre><code style="language-foo bar">
code
</code></pre>

A malicious user can attach an arbitrary class to the code tag.

Upgrade markdown-it to version 4.3.1 or higher.