CVE-2025-42873— Denial of Service (DoS) in SAPUI5 framework (Markdown-it component)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42873
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Denial of Service (DoS) in SAPUI5 framework (Markdown-it component)
Source: NVD (National Vulnerability Database)
Vulnerability Description
SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不对称的资源消耗(放大攻击)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP SAPUI5 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP SAPUI5是德国思爱普(SAP)公司的一款JavaScript应用程序框架。 SAP SAPUI5存在安全漏洞,该漏洞源于使用过时的第三方库导致无限循环,可能造成拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAPUI5 framework (Markdown-it component) | SAP_UI 755 | - |
II. Public POCs for CVE-2025-42873
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42873
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2025-12-09 · 12 CVEs total
| CVE-2025-42880 | 9.9 CRITICAL | Code Injection vulnerability in SAP Solution Manager |
| CVE-2025-42928 | 9.1 CRITICAL | Deserialization Vulnerability in SAP jConnect - SDK for ASE |
| CVE-2025-42878 | 8.2 HIGH | Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) |
| CVE-2025-42874 | 7.9 HIGH | Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) |
| CVE-2025-42877 | 7.5 HIGH | Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and |
| CVE-2025-42876 | 7.1 HIGH | Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) |
| CVE-2025-42875 | 6.6 MEDIUM | Missing Authentication check in SAP NetWeaver Internet Communication Framework |
| CVE-2025-42904 | 6.5 MEDIUM | Information Disclosure vulnerability in Application Server ABAP |
| CVE-2025-42872 | 6.1 MEDIUM | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal |
| CVE-2025-42891 | 5.5 MEDIUM | Missing Authorization check in SAP Enterprise Search for ABAP |
| CVE-2025-42896 | 5.4 MEDIUM | Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-405
- CVE-2026-35665
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook - CVE-2026-35626
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion v - CVE-2026-25611
Pre-Authentication Memory Exhaustion Denial of Service in Mo - CVE-2026-24324
Denial of service (DOS) vulnerability in SAP BusinessObjects - CVE-2026-0485
Denial of service (DOS) vulnerability in SAP BusinessObjects
V. Comments for CVE-2025-42873
No comments yet