7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25103

GHSA ID

GHSA-gpvj-gp8c-c7p2

EPSS Score

0.12588%

CWE

CWE-1333

Published

2/12/2023

Updated

10/20/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-25103

CVE-2019-25103: Regular Expression Denial of Service in simple-markdown

A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The name of the patch is 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25103

GHSA ID

GHSA-gpvj-gp8c-c7p2

EPSS Score

0.12588%

CWE

CWE-1333

Published

2/12/2023

Updated

10/20/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
simple-markdown	npm	< 0.5.2	0.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the regex pattern used for inline code parsing in simple-markdown.js. The commit diff shows the vulnerable regex had \s* before/after the content capture group ([\s\S]?[^`]), creating ambiguity in space parsing. This ambiguity led to catastrophic backtracking (CWE-1333). The patch removes these \s quantifiers and adds post-processing for spaces, confirming the regex was the root cause. The function is clearly identified in the defaultRules.inlineCode.match property in simple-markdown.js.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in simpl*-m*rk*own *.*.* *n* *l*ssi*i** *s pro*l*m*ti*. *****t** *y t*is vuln*r**ility is *n unknown *un*tion*lity o* t** *il* simpl*-m*rk*own.js. T** m*nipul*tion l***s to in***i*i*nt r**ul*r *xpr*ssion *ompl*xity. T**

Reasoning

T** vuln*r**ility st*ms *rom t** r***x p*tt*rn us** *or inlin* *o** p*rsin* in simpl*-m*rk*own.js. T** *ommit *i** s*ows t** vuln*r**l* r***x *** \s* ***or*/**t*r t** *ont*nt **ptur* *roup ([\s\S]*?[^`]), *r**tin* *m*i*uity in sp*** p*rsin*. T*is *m*

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-25103: Regular Expression Denial of Service in simple-markdown

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI