CVE-2026-2327

NameCVE-2026-2327
DescriptionVersions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-markdown-it (PTS)bullseye10.0.0+dfsg-2+deb11u1fixed
bookworm, trixie22.2.3+dfsg+~12.2.3-2fixed
forky, sid22.2.3+dfsg+~12.2.3-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-markdown-itsource(unstable)(not affected)

Notes

- node-markdown-it <not-affected> (Vulnerable code introduced later)
https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917
Introduced by: https://github.com/markdown-it/markdown-it/commit/6b58ec4245abe2e293c79bd7daabf4543ef46399 (13.0.0)
Fixed by: https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26 (14.1.1)
Search for package or bug name: Reporting problems