js · markdown-itHeads-up
markdown-it: Quadratic CPU usage in smartquotes rule (typographer: true)
A quadratic time complexity vulnerability in markdown-it's smartquotes rule (enabled via `typographer: true`) causes excessive CPU usage when processing many co
What changed
A quadratic time complexity vulnerability in markdown-it's smartquotes rule (enabled via `typographer: true`) causes excessive CPU usage when processing many consecutive quotation marks, leading to denial of service.
Who it affects
Applications that render user-supplied markdown with `typographer: true` enabled.
What to do today
Disable the `typographer` option if not needed, or apply a patch that replaces the `replaceAt()` approach with an O(n) method.
The trail
Collected→
Audited→
Written→
Published