CVE-2025-9670
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-09-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mixmark-io | turndown | 7.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9670 is a Regular Expression Denial of Service (ReDoS) vulnerability in the mixmark-io turndown library (up to version 7.2.1). It arises from inefficient regular expressions in the file src/commonmark-rules.js, specifically in the blockquote and listItem parsing rules. These regexes use greedy quantifiers (+) followed by an end-of-string anchor ($), which cause catastrophic backtracking when processing specially crafted long input strings that nearly match the pattern but fail at the end. This leads to excessive CPU consumption and can cause the application to hang or become unresponsive. The vulnerability can be exploited remotely without authentication, and a proof-of-concept exploit is publicly available. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial-of-service conditions in applications using the vulnerable turndown versions 7.2.0 and 7.2.1. When an attacker sends specially crafted input strings, the inefficient regex patterns cause exponential backtracking, leading to excessive CPU usage and application hangs or unresponsiveness. This affects system availability and can disrupt normal operations remotely without requiring any authentication. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected turndown library (versions up to 7.2.1) with specially crafted input strings that trigger the inefficient regular expressions in the file src/commonmark-rules.js. Specifically, inputs containing long sequences of newline characters followed by characters that prevent the regex from matching the end-of-string anchor can cause excessive CPU usage or application hangs. For detection, you can run JavaScript code snippets that mimic the proof-of-concept attacks, such as: ```js const attackString = "\u0000\u0000" + "\n".repeat(100000) + "!\n!"; attackString.replace(/^\n+|\n+$/g, ''); const attackString2 = "" + "\n".repeat(100000) + "β"; attackString2.replace(/\n+$/, '\n'); ``` Monitoring CPU usage or application responsiveness during these tests can indicate vulnerability. Additionally, network monitoring for unusual spikes in resource usage when processing markdown input may help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the vulnerable regular expressions in the src/commonmark-rules.js file with safer alternatives that avoid catastrophic backtracking. Specifically, remove the use of greedy quantifiers (+) followed by end-of-string anchors ($) for trimming trailing newlines. Instead, use logical string operations such as loops and substring methods to remove or trim newlines safely. For example, replace: - `/^\n+|\n+$/g` with separate removal of leading newlines using `/^\n+/` and trailing newlines using a loop to trim them. - `/\n+$/` with a loop that iterates from the end of the string to remove trailing newlines. If patching is not immediately possible, consider replacing the turndown library with an alternative markdown processor that is not vulnerable. Monitoring and limiting input size or rate can also reduce risk until a fix is applied. [1, 3]