Executive Summary

CVE-2025-9670 is a Regular Expression Denial of Service (ReDoS) vulnerability in the mixmark-io turndown library (up to version 7.2.1). It arises from inefficient regular expressions in the file src/commonmark-rules.js, specifically in the blockquote and listItem parsing rules. These regexes use greedy quantifiers (+) followed by an end-of-string anchor ($), which cause catastrophic backtracking when processing specially crafted long input strings that nearly match the pattern but fail at the end. This leads to excessive CPU consumption and can cause the application to hang or become unresponsive. The vulnerability can be exploited remotely without authentication, and a proof-of-concept exploit is publicly available. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing denial-of-service conditions in applications using the vulnerable turndown versions 7.2.0 and 7.2.1. When an attacker sends specially crafted input strings, the inefficient regex patterns cause exponential backtracking, leading to excessive CPU usage and application hangs or unresponsiveness. This affects system availability and can disrupt normal operations remotely without requiring any authentication. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the affected turndown library (versions up to 7.2.1) with specially crafted input strings that trigger the inefficient regular expressions in the file src/commonmark-rules.js. Specifically, inputs containing long sequences of newline characters followed by characters that prevent the regex from matching the end-of-string anchor can cause excessive CPU usage or application hangs. For detection, you can run JavaScript code snippets that mimic the proof-of-concept attacks, such as: ```js const attackString = "\u0000\u0000" + "\n".repeat(100000) + "!\n!"; attackString.replace(/^\n+|\n+$/g, ''); const attackString2 = "" + "\n".repeat(100000) + "◎"; attackString2.replace(/\n+$/, '\n'); ``` Monitoring CPU usage or application responsiveness during these tests can indicate vulnerability. Additionally, network monitoring for unusual spikes in resource usage when processing markdown input may help detect exploitation attempts. [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include replacing the vulnerable regular expressions in the src/commonmark-rules.js file with safer alternatives that avoid catastrophic backtracking. Specifically, remove the use of greedy quantifiers (+) followed by end-of-string anchors ($) for trimming trailing newlines. Instead, use logical string operations such as loops and substring methods to remove or trim newlines safely. For example, replace: - `/^\n+|\n+$/g` with separate removal of leading newlines using `/^\n+/` and trailing newlines using a loop to trim them. - `/\n+$/` with a loop that iterates from the end of the string to remove trailing newlines. If patching is not immediately possible, consider replacing the turndown library with an alternative markdown processor that is not vulnerable. Monitoring and limiting input size or rate can also reduce risk until a fix is applied. [1, 3]

Useful 0 Not Useful 0