Home

Description

Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This could cause excessive CPU usage due to excessive backtracking on crafted inputs. In turn, the excessive CPU usage could lead to resource exhaustion, where processing malicious inputs could cause high CPU or memory usage, potentially leading to denial of service. Version 1.0.2 contains a patch. Additionally, users should review and restrict input sources if untrusted inputs are processed.

PUBLISHED Reserved 2025-09-01 | Published 2025-09-08 | Updated 2025-09-09 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1333: Inefficient Regular Expression Complexity

CWE-400: Uncontrolled Resource Consumption

Product status

< 1.0.2
affected

References

github.com/...attown/security/advisories/GHSA-455v-w7r9-3vv9

github.com/...ommit/70c2a28fb7dc520cfb7e401e0e141bff3dd26ead

cve.org (CVE-2025-58451)

nvd.nist.gov (CVE-2025-58451)

Download JSON