markdown-it-py is vulnerable to Denial of Service (DoS)
53
Medium Risk
markdown-it-py collapses runs of adjacent inline text tokens into a single string in the fragments_join inline rule and the text_join core rule. Before the fix, both rules rebuilt the merged content with repeated pairwise a + b string concatenation inside a loop, which is quadratic in the length of each contiguous run. A crafted Markdown document containing very long runs of adjacent text or delimiter tokens, such as tens of thousands of intraword underscores on one line, forces this quadratic work and drives excessive CPU time and very large peak memory allocation while rendering. The fix collapses each contiguous run in a single "".join(...) pass, restoring linear time and memory behavior.
You are affected if you are using a version that falls within the vulnerable range.
markdown-it-py is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 4.0.0.
Upgrade the markdown-it-py library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant