CVE-2019-12041
Regular Expression Denial of Service (ReDoS) vulnerability in remarkable (npm)
What is CVE-2019-12041 About?
This vulnerability in `remarkable` 1.7.1 is a Regular Expression Denial of Service (ReDoS) flaw, triggered via a crafted CDATA section. Exploiting this can lead to excessive resource consumption and application unresponsiveness. It is relatively easy for an attacker to trigger if input handling is not robust.
Affected Software
Technical Details
The lib/common/html_re.js component of the remarkable JavaScript markdown parser, version 1.7.1, contains a Regular Expression Denial of Service (ReDoS) vulnerability. Certain regular expressions used to parse CDATA sections are highly inefficient when processing specially crafted, malicious input. An attacker can create a CDATA section that causes the regular expression engine to backtrack excessively, leading to a significant increase in processing time. This prolonged computation consumes CPU resources, rendering the application unresponsive and effectively causing a denial of service.
What is the Impact of CVE-2019-12041?
Successful exploitation may allow attackers to cause the application to become unresponsive, leading to service disruption and unavailability for legitimate users.
What is the Exploitability of CVE-2019-12041?
Exploitation requires sending a specially crafted input string containing a malicious CDATA section to an application that processes markdown using remarkable 1.7.1. The complexity is low, as the payload is usually a repeating pattern designed to trigger the ReDoS. There are no authentication or privilege requirements beyond the ability to submit content that will be parsed by remarkable. Access can be remote. The primary risk factor is applications that accept and process untrusted user-controllable markdown content without sufficient input validation or resource limits on parsing time.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-12041?
Available Upgrade Options
- remarkable
- <1.7.2 → Upgrade to 1.7.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jonschlinkert/remarkable/pull/335#issuecomment-515958379
- https://github.com/jonschlinkert/remarkable/issues/331
- https://github.com/jonschlinkert/remarkable/issues/331
- https://github.com/jonschlinkert/remarkable/commit/287dfbf22e70790c8b709ae37a5be0523597673c
- https://nvd.nist.gov/vuln/detail/CVE-2019-12041
- https://snyk.io/vuln/SNYK-JS-REMARKABLE-174639
- https://osv.dev/vulnerability/GHSA-q22g-8fr4-qpj4
What are Similar Vulnerabilities to CVE-2019-12041?
Similar Vulnerabilities: CVE-2021-42750 , CVE-2021-23351 , CVE-2022-21696 , CVE-2022-26146 , CVE-2023-42465
