CVE-2026-2327 - Vulnerability Details

- markdown-it: markdown-it: Denial of Service via Regular Expression Denial of Service in linkify function

Description

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Published: 2026-02-12

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A regular expression denial of service vulnerability exists in the markdown-it JavaScript library due to the use of the pattern /\*+$/ within its linkify routine. When an attacker supplies a long sequence of asterisks followed by a non‑matching character, the regex engine performs excessive backtracking which can exhaust system resources and cause the host application to become unresponsive. This weakness is classified as CWE‑1333 and can compromise the availability of any service that renders Markdown using markdown‑it without additional safeguards.

Affected Systems

The vulnerability affects all versions of the markdown‑it package released before 14.1.1, including the version range 13.0.0 through 14.1.0. The affected product is the markdown‑it project’s library, which is commonly used in Node.js applications for Markdown parsing. Upgrading to version 14.1.1 or later resolves the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is that an attacker supplies malicious Markdown content – for example, an input field, comment feed, or API payload – that is parsed by the application. Because the flaw is in a regular expression, it does not require elevated privileges; any user who can submit data that passes through markdown‑it can trigger the denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

markdown-it

affected

Version	Status	Constraints
`13.0.0`	affected	< 14.1.1

Configuration 1 [-]

cpe:2.3:a:markdown-it_project:markdown-it:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Markdown-it

—

Version	Status	Scheme	Platform
`[13.0.0,14.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade markdown‑it to version 14.1.1 or newer.
If an upgrade is delayed, disable the linkify feature or configure the parser to exclude linkification.
Implement input validation to restrict the length of asterisks or overall Markdown payload before parsing.

Generated by OpenCVE AI on April 17, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-38c4-r59v-3vqw	markdown-it is has a Regular Expression Denial of Service (ReDoS)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917
https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs%23L33
https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26
https://nvd.nist.gov/vuln/detail/CVE-2026-2327
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750
https://www.cve.org/CVERecord?id=CVE-2026-2327

History

Mon, 23 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Markdown-it Project Markdown-it Project markdown-it
CPEs		cpe:2.3:a:markdown-it_project:markdown-it::::::::
Vendors & Products		Markdown-it Project Markdown-it Project markdown-it

Fri, 13 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		markdown-it: markdown-it: Denial of Service via Regular Expression Denial of Service in linkify function
References		https://nvd.nist.gov/vuln/detail/CVE-2026-2327 https://www.cve.org/CVERecord?id=CVE-2026-2327
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 12 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Feb 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Markdown-it Markdown-it markdown-it
Vendors & Products		Markdown-it Markdown-it markdown-it

Thu, 12 Feb 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
Weaknesses		CWE-1333
References		https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917 https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs%23L33 https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26 https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Markdown-it Markdown-it

Markdown-it Project Markdown-it

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2026-02-12T05:00:07.369Z

Updated: 2026-02-12T14:41:53.714Z

Reserved: 2026-02-11T07:02:27.771Z

Link: CVE-2026-2327

Vulnrichment

Updated: 2026-02-12T14:41:22.399Z

NVD

Status : Analyzed

Published: 2026-02-12T06:16:02.243

Modified: 2026-02-23T14:08:11.870

Link: CVE-2026-2327

Redhat

Severity : Moderate

Publid Date: 2026-02-12T05:00:07Z

Links: CVE-2026-2327 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses

CWE-1333

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object