Description

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

INFO

Published Date :

2026-02-12T05:00:07.369Z

Last Modified :

2026-02-12T14:41:53.714Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2026-2327 vulnerability.

Vendors Products
Markdown-it
  • Markdown-it
Markdown-it Project
  • Markdown-it
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2327.

URL Resource
https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917 cve-icon cve-icon cve-icon cve-icon
https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs%23L33 cve-icon cve-icon cve-icon
https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-2327 cve-icon
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750 cve-icon cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-2327 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact