CVE-2025-6493

NameCVE-2025-6493
DescriptionA weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown Mode. This manipulation causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 6.0 is able to address this issue. You should upgrade the affected component. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1108477

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
codemirror-js (PTS)bullseye5.59.2+~cs0.23.109-1vulnerable
bookworm5.65.0+~cs5.83.9-2vulnerable
trixie5.65.0+~cs5.83.9-3vulnerable
forky, sid5.65.20+~cs5.83.25-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
codemirror-jssource(unstable)(unfixed)1108477

Notes

[trixie] - codemirror-js <no-dsa> (Minor issue)
[bookworm] - codemirror-js <no-dsa> (Minor issue)
[bullseye] - codemirror-js <postponed> (Minor issue)
https://github.com/codemirror/codemirror5/issues/7128
Search for package or bug name: Reporting problems