CVE-2022-21670
DoS (Denial of Service) vulnerability in markdown-it
What is CVE-2022-21670 About?
This vulnerability in 'markdown-it' allows special patterns with excessive length to significantly slow down the parser, leading to a Denial of Service (DoS). By providing a large, crafted input string, an attacker can consume excessive CPU resources. Exploiting this is relatively easy, requiring only a malicious markdown input.
Affected Software
Technical Details
The 'markdown-it' library is susceptible to a Denial of Service (DoS) vulnerability when processing special patterns exceeding 50,000 characters in length. Specifically, operations within the markdown parsing engine (e.g., in `md.render()`) do not efficiently handle very long, repetitive ` ' '.repeat(150000)` type patterns, as demonstrated in the provided JavaScript proof-of-concept. When such an input is encountered, the parser's algorithm complexity degrades, causing it to consume disproportionately high CPU resources and time. This extended processing time effectively renders the application unresponsive for legitimate requests, leading to a resource exhaustion-based DoS.
What is the Impact of CVE-2022-21670?
Successful exploitation may allow attackers to cause a denial of service by slowing down the parser, consuming excessive CPU resources, and making the application unresponsive.
What is the Exploitability of CVE-2022-21670?
Exploitation of this vulnerability is of low complexity. An attacker needs only to provide a specially crafted markdown string of excessive length containing the identified problematic pattern. There are no authentication requirements if the application processes untrusted markdown input from any source. Similarly, no special privileges are needed. This is typically a remote attack if the markdown parser is exposed via a web application, API, or service that processes user-submitted content. The primary risk factor is the application's acceptance of arbitrary markdown input without sufficient length or pattern validation prior to passing it to the 'markdown-it' library for rendering.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21670?
Available Upgrade Options
- markdown-it
- <12.3.2 → Upgrade to 12.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
- https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101
- https://nvd.nist.gov/vuln/detail/CVE-2022-21670
- https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101
- https://osv.dev/vulnerability/GHSA-6vfc-qv3f-vr6c
- https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
- https://github.com/markdown-it/markdown-it
What are Similar Vulnerabilities to CVE-2022-21670?
Similar Vulnerabilities: CVE-2021-3803 , CVE-2021-45105 , CVE-2021-44228 , CVE-2022-23529 , CVE-2023-35805
