AIKIDO-2026-553039
html-to-markdown is vulnerable to Uncontrolled Resource Consumption
55
Medium Risk
This Affects:
html-to-markdownTL;DR
html-to-markdown converts HTML to Markdown using a table column-width pre-pass that renders each cell to measure its width. When the input contains deeply nested layout tables, this pre-pass recursively re-renders every nested table for every ancestor cell, so the work grows combinatorially with nesting depth. An attacker who supplies crafted HTML, such as a table-heavy email or scraped web page, can make a single conversion consume minutes of CPU and effectively hang the process, causing denial of service. The fix threads a measurement-only flag through the conversion context so nested tables fall back to descendant text during measurement, keeping the pre-pass linear in input size.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
html-to-markdown is vulnerable to Uncontrolled Resource Consumption in versions 3.4.1 - 3.6.10.
How to fix this
Upgrade the html-to-markdown library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant