Executive Summary

CVE-2026-2327 is a Regular Expression Denial of Service (ReDoS) vulnerability in the markdown-it package versions from 13.0.0 up to 14.1.0. The issue is caused by the use of the regular expression /\*+$/ in the linkify function, which matches trailing asterisks at the end of URLs.

This regex uses a greedy quantifier combined with an end-of-string anchor, which leads to excessive backtracking when processing inputs containing long sequences of asterisks followed by a non-matching character. An attacker can exploit this by supplying such inputs, causing the regex engine to consume excessive CPU resources.

The vulnerability results in degraded performance and can cause denial-of-service conditions by exhausting CPU cycles during URL processing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to denial-of-service conditions by causing the markdown-it library to consume excessive CPU resources when processing specially crafted inputs.

An attacker can supply URLs with long sequences of asterisks followed by a non-matching character, triggering catastrophic backtracking in the regex engine. This results in significant processing delays and high CPU usage.

The impact is a performance degradation that can make applications using vulnerable versions of markdown-it unresponsive or slow, potentially disrupting service availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the markdown-it package's linkify function with inputs containing long sequences of asterisks (*) followed by a non-matching character. Such inputs trigger excessive CPU usage due to the vulnerable regular expression."}, {'type': 'paragraph', 'content': "A practical approach is to render URLs constructed with increasingly long sequences of '*' characters followed by a non-matching character using markdown-it with the linkify option enabled. Monitoring CPU usage during this process can reveal the vulnerability."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a test script or command that repeatedly processes strings like "****...****a" (many asterisks followed by a non-asterisk character) through markdown-it\'s linkify function can be used to detect the issue by observing performance degradation.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the markdown-it package to version 14.1.1 or later, where the vulnerable regular expression has been replaced with a more efficient manual backward search loop that prevents excessive backtracking.

This update fixes the performance regression by avoiding the problematic regex `/\*+$/` in the linkify function and ensures that URLs with trailing asterisks are processed efficiently without causing denial-of-service conditions.

Useful 0 Not Useful 0