Regular Expression Denial of Service Vulnerability in markdown-it by npm
CVE-2026-2327

6.9MEDIUM

Key Information:

Vendor: npm
Status: Markdown-it
Vendor: CVE Published:; 12 February 2026

What is CVE-2026-2327?

The markdown-it package, particularly versions from 13.0.0 and before 14.1.1, is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This issue arises from the regex used in its linkify function: /+$. An attacker can exploit this vulnerability by providing a long string of asterisks () followed by a non-matching character. This causes excessive backtracking in the regex engine, potentially resulting in a denial-of-service condition that can interrupt the normal functioning of applications utilizing this package.

Affected Version(s)

markdown-it 13.0.0 < 14.1.1

References

https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750

https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2a...

https://github.com/markdown-it/markdown-it/blob/14.1.0/li...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2026
Vulnerability Reserved
Feb 11, 2026

Credit

Duc Le Trung

CVE-2026-2327 Data

JSON