CVE-2025-42873: CWE-405: Asymmetric Resource Consumption in SAP_SE SAPUI5 framework (Markdown-it component)
SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.
AI Analysis
Technical Summary
CVE-2025-42873 is a vulnerability classified under CWE-405 (Asymmetric Resource Consumption) found in the SAPUI5 framework, specifically within the Markdown-it third-party component used for rendering markdown content. The issue arises because the Markdown-it library in SAPUI5 versions 755 to 758 uses outdated code that does not properly handle certain malformed markdown inputs. When such inputs are processed, the parser enters an infinite loop, causing the CPU to be consumed excessively and the processing thread to become blocked. This results in a Denial of Service (DoS) condition where the affected SAPUI5 application becomes unresponsive and unavailable to legitimate users. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity due to the need to craft specific malformed markdown content. The impact is limited to availability, with no confidentiality or integrity compromise. The CVSS v3.1 score is 5.9, reflecting medium severity. No patches or known exploits are currently reported, but the risk remains significant for environments relying heavily on SAPUI5 for user interface rendering. The vulnerability highlights the risks of using outdated third-party libraries in enterprise software stacks.
Potential Impact
For European organizations, the primary impact of CVE-2025-42873 is operational disruption due to Denial of Service conditions in SAPUI5-based applications. Many enterprises across Europe use SAP solutions for critical business functions such as ERP, supply chain management, and customer relationship management. An unresponsive UI layer can halt business processes, delay transactions, and degrade user experience, potentially leading to financial losses and reputational damage. Since the vulnerability does not affect data confidentiality or integrity, the risk of data breaches is low. However, availability issues could affect compliance with service level agreements (SLAs) and regulatory requirements for uptime, especially in sectors like finance, manufacturing, and public administration. The lack of known exploits reduces immediate risk, but the medium severity and ease of triggering the infinite loop via network inputs mean attackers could leverage this vulnerability for targeted DoS attacks. Organizations with high SAPUI5 usage should prioritize mitigation to maintain operational continuity.
Mitigation Recommendations
1. Monitor SAP and third-party advisories for official patches or updates addressing CVE-2025-42873 and apply them promptly once available. 2. Implement input validation and sanitization on all markdown inputs to detect and block malformed content that could trigger the infinite loop. 3. Employ rate limiting and anomaly detection on endpoints processing markdown content to prevent abuse and detect unusual CPU usage spikes. 4. Consider isolating SAPUI5 services in dedicated environments with resource limits to contain potential DoS impact. 5. Regularly monitor system performance metrics, especially CPU and thread responsiveness, to identify early signs of exploitation. 6. Engage with SAP support to understand any interim workarounds or configuration changes that can mitigate risk. 7. Educate development and operations teams about the risks of outdated third-party libraries and enforce secure software supply chain practices. 8. Review and update incident response plans to include scenarios involving UI-layer DoS attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-42873: CWE-405: Asymmetric Resource Consumption in SAP_SE SAPUI5 framework (Markdown-it component)
Description
SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.
AI-Powered Analysis
Technical Analysis
CVE-2025-42873 is a vulnerability classified under CWE-405 (Asymmetric Resource Consumption) found in the SAPUI5 framework, specifically within the Markdown-it third-party component used for rendering markdown content. The issue arises because the Markdown-it library in SAPUI5 versions 755 to 758 uses outdated code that does not properly handle certain malformed markdown inputs. When such inputs are processed, the parser enters an infinite loop, causing the CPU to be consumed excessively and the processing thread to become blocked. This results in a Denial of Service (DoS) condition where the affected SAPUI5 application becomes unresponsive and unavailable to legitimate users. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity due to the need to craft specific malformed markdown content. The impact is limited to availability, with no confidentiality or integrity compromise. The CVSS v3.1 score is 5.9, reflecting medium severity. No patches or known exploits are currently reported, but the risk remains significant for environments relying heavily on SAPUI5 for user interface rendering. The vulnerability highlights the risks of using outdated third-party libraries in enterprise software stacks.
Potential Impact
For European organizations, the primary impact of CVE-2025-42873 is operational disruption due to Denial of Service conditions in SAPUI5-based applications. Many enterprises across Europe use SAP solutions for critical business functions such as ERP, supply chain management, and customer relationship management. An unresponsive UI layer can halt business processes, delay transactions, and degrade user experience, potentially leading to financial losses and reputational damage. Since the vulnerability does not affect data confidentiality or integrity, the risk of data breaches is low. However, availability issues could affect compliance with service level agreements (SLAs) and regulatory requirements for uptime, especially in sectors like finance, manufacturing, and public administration. The lack of known exploits reduces immediate risk, but the medium severity and ease of triggering the infinite loop via network inputs mean attackers could leverage this vulnerability for targeted DoS attacks. Organizations with high SAPUI5 usage should prioritize mitigation to maintain operational continuity.
Mitigation Recommendations
1. Monitor SAP and third-party advisories for official patches or updates addressing CVE-2025-42873 and apply them promptly once available. 2. Implement input validation and sanitization on all markdown inputs to detect and block malformed content that could trigger the infinite loop. 3. Employ rate limiting and anomaly detection on endpoints processing markdown content to prevent abuse and detect unusual CPU usage spikes. 4. Consider isolating SAPUI5 services in dedicated environments with resource limits to contain potential DoS impact. 5. Regularly monitor system performance metrics, especially CPU and thread responsiveness, to identify early signs of exploitation. 6. Engage with SAP support to understand any interim workarounds or configuration changes that can mitigate risk. 7. Educate development and operations teams about the risks of outdated third-party libraries and enforce secure software supply chain practices. 8. Review and update incident response plans to include scenarios involving UI-layer DoS attacks.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- sap
- Date Reserved
- 2025-04-16T13:25:17.023Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69378a890af42da4c56f96b8
Added to database: 12/9/2025, 2:33:45 AM
Last enriched: 12/16/2025, 4:58:50 AM
Last updated: 2/5/2026, 7:56:06 AM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-10258: Vulnerability in Nokia Infinera DNA
HighCVE-2026-1268: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in brechtvds Dynamic Widget Content
MediumCVE-2026-1246: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in shortpixel ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
MediumCVE-2026-0867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in catchthemes Essential Widgets
MediumCVE-2025-15080: CWE-1284 Improper Validation of Specified Quantity in Input in Mitsubishi Electric Corporation MELSEC iQ-R Series R08PCPU
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.