This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **ReDoS Vulnerability**: The `markdown-it` package triggers excessive backtracking in the regular expression `/\*+$/` when processing star strings, leading to CPU exhaustion and causing service slowdown or crash.β¦
π **Root Cause**: CWE-400 (Insufficient Input Validation) + CWE-817 (Regular Expression DoS). The `linkify` function's regex `/\*+$/` improperly handles long sequences of asterisks, causing exponential backtracking.
Q3Who is affected? (Versions/Components)
β οΈ **Affected Scope**: `markdown-it` versions **13.0.0 to 14.1.1 (inclusive)**. All projects using this package (e.g., static websites, Markdown editors) are affected.
Q4What can hackers do? (Privileges/Data)
π« **Attacker Privileges**: No authentication or special privileges required. Simply sending a malicious star string (e.g., `*********x`) can trigger service hang. **No data leakage or privilege escalation**.
Q5Is exploitation threshold high? (Auth/Config)
π **Low Exploitation Barrier**: No authentication or configuration needed. Attackers only need to craft malicious input and submit it via HTTP request or form.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π§ͺ **PoC Available**: Proof-of-concept is available on GitHub Gist ([c9abecae...](https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917)). **No public in-the-wild exploitation reports**.
Q7How to self-check? (Features/Scanning)
π **Self-Check Method**: Check if your project depends on `markdown-it` and verify if the version is within 13.0.0 to 14.1.1. Use `npm list markdown-it` or dependency scanning tools (e.g., Snyk) for quick identification.
Q8Is it fixed officially? (Patch/Mitigation)
β **Official Fix Released**: Fixed in version 14.1.2+. Fix: Optimized regex in `linkify` function to prevent backtracking.β¦
π‘οΈ **Temporary Mitigation**: If upgrade is not possible, preprocess input to limit consecutive asterisks (e.g., max 100 `*`), or use `try-catch` to handle timeout exceptions.