7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25102

GHSA ID

GHSA-j533-2g8v-pmpg

EPSS Score

0.24517%

CWE

CWE-1333

Published

2/12/2023

Updated

10/20/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-25102

CVE-2019-25102:
Regular Expression Denial of Service in simple-markdown

A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdown.js. The manipulation with the input <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.6.1 is able to address this issue. The name of the patch is 015a719bf5cdc561feea05500ecb3274ef609cd2. It is recommended to upgrade the affected component. VDB-220638 is the identifier assigned to this vulnerability.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25102

GHSA ID

GHSA-j533-2g8v-pmpg

EPSS Score

0.24517%

CWE

CWE-1333

Published

2/12/2023

Updated

10/20/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
simple-markdown	npm	< 0.6.1	0.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly fixed by modifying the autolink regex in simple-markdown.js (changed from /^<([^ >]+:/[^ >]+)>/ to /^<([^: >]+:/[^ >]+)>/). The commit message and CWE-1333 classification confirm this was an inefficient regex pattern. The attack vector demonstrates exploitation through the autolink parsing logic, and no other code changes were made in the patching commit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in simpl*-m*rk*own *.*.*. *****t** is *n unknown *un*tion o* t** *il* simpl*-m*rk*own.js. T** m*nipul*tion wit* t** input <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ l***s to in***i*i*nt r**ul*r *xpr

Reasoning

T** vuln*r**ility w*s *xpli*itly *ix** *y mo*i*yin* t** *utolink r***x in `simpl*-m*rk*own.js` (***n*** *rom /^<([^ >]+:\/[^ >]+)>/ to /^<([^: >]+:\/[^ >]+)>/). T** *ommit m*ss*** *n* *W*-**** *l*ssi*i**tion *on*irm t*is w*s *n in***i*i*nt r***x p*tt

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-25102: Regular Expression Denial of Service in simple-markdown

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-25102:
Regular Expression Denial of Service in simple-markdown

Vulnerability Intelligence
Miggo AI