JFrog Security Research
< Back

XRAY-211350 - markdown-link-extractor ReDoS

CVE-2021-43308 | CVSS 5.9

JFrog Severity:medium

Discovered ByDenys Vozniukof the JFrog Security Research Team

Published 30 May, 2022 | Last updated 30 May, 2022

Exponential ReDoS in markdown-link-extractor leads to denial of service


markdown-link-extractor (,3.0.1]|[4.0.0], fixed in 3.0.2 and 4.0.1

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the markdown-link-extractor npm package, when an attacker is able to supply arbitrary input to the module's exported function

'![' + '"\\\\"'.repeat(i))

No mitigations are supplied for this issue


< Back