CVE-2026-2327
ReDoS Vulnerability in markdown-it Linkify Function Causes DoS
Publication date: 2026-02-12
Last updated on: 2026-02-23
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| markdown-it_project | markdown-it | From 13.0.0 (inc) to 14.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2327 is a Regular Expression Denial of Service (ReDoS) vulnerability in the markdown-it package versions from 13.0.0 up to 14.1.0. The issue is caused by the use of the regular expression /\*+$/ in the linkify function, which matches trailing asterisks at the end of URLs.
This regex uses a greedy quantifier combined with an end-of-string anchor, which leads to excessive backtracking when processing inputs containing long sequences of asterisks followed by a non-matching character. An attacker can exploit this by supplying such inputs, causing the regex engine to consume excessive CPU resources.
The vulnerability results in degraded performance and can cause denial-of-service conditions by exhausting CPU cycles during URL processing.
How can this vulnerability impact me? :
This vulnerability can lead to denial-of-service conditions by causing the markdown-it library to consume excessive CPU resources when processing specially crafted inputs.
An attacker can supply URLs with long sequences of asterisks followed by a non-matching character, triggering catastrophic backtracking in the regex engine. This results in significant processing delays and high CPU usage.
The impact is a performance degradation that can make applications using vulnerable versions of markdown-it unresponsive or slow, potentially disrupting service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the markdown-it package's linkify function with inputs containing long sequences of asterisks (*) followed by a non-matching character. Such inputs trigger excessive CPU usage due to the vulnerable regular expression."}, {'type': 'paragraph', 'content': "A practical approach is to render URLs constructed with increasingly long sequences of '*' characters followed by a non-matching character using markdown-it with the linkify option enabled. Monitoring CPU usage during this process can reveal the vulnerability."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a test script or command that repeatedly processes strings like "****...****a" (many asterisks followed by a non-asterisk character) through markdown-it\'s linkify function can be used to detect the issue by observing performance degradation.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the markdown-it package to version 14.1.1 or later, where the vulnerable regular expression has been replaced with a more efficient manual backward search loop that prevents excessive backtracking.
This update fixes the performance regression by avoiding the problematic regex `/\*+$/` in the linkify function and ensures that URLs with trailing asterisks are processed efficiently without causing denial-of-service conditions.