CVE-2025-58451 is a high-severity vulnerability affecting versions of the JavaScript markdown parser Cattown prior to 1.0.2, developed by IEatUranium238. The root cause is inefficient regular expression complexity (CWE-1333), which leads to potentially exponential backtracking during regex evaluation. This inefficiency can be triggered by crafted inputs, causing excessive CPU consumption and memory usage. The resulting resource exhaustion can degrade system performance or cause denial of service (DoS) conditions. Since Cattown is a markdown parser, it is often used in web applications or services that process user-generated markdown content. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending maliciously crafted markdown input to the vulnerable parser. The vendor patched this issue in version 1.0.2 by optimizing the regex patterns to avoid exponential backtracking. No known exploits are currently reported in the wild, but the CVSS 4.0 score of 8.7 reflects the high impact and ease of exploitation. The vulnerability also relates to CWE-400 (Uncontrolled Resource Consumption), emphasizing the risk of denial of service through resource exhaustion. Organizations using Cattown versions prior to 1.0.2 should urgently update to the patched version and restrict or sanitize untrusted markdown inputs to mitigate risk.

For European organizations, this vulnerability poses a significant risk especially for web services and applications that incorporate Cattown for markdown parsing. Exploitation can lead to denial of service by exhausting CPU and memory resources, potentially causing service outages or degraded performance. This can impact availability of critical services, customer-facing platforms, or internal tools relying on markdown content processing. Industries with high reliance on web content management, publishing, or collaborative platforms (e.g., media, education, government portals) are particularly vulnerable. Additionally, resource exhaustion attacks can be leveraged as part of larger attack campaigns to disrupt operations or as a diversion for other malicious activities. The lack of authentication or user interaction requirements means attackers can exploit this remotely and anonymously, increasing the threat surface. Given the high CVSS score and the widespread use of JavaScript-based markdown parsers, the impact on European organizations could be substantial if unpatched systems are exposed to untrusted inputs.

1. Immediate upgrade of all Cattown instances to version 1.0.2 or later, which contains the patch addressing the inefficient regex complexity. 2. Implement strict input validation and sanitization on all markdown inputs, especially those originating from untrusted or external sources, to prevent malicious payloads from reaching the parser. 3. Employ rate limiting and resource usage monitoring on services that process markdown content to detect and mitigate abnormal CPU or memory consumption patterns indicative of exploitation attempts. 4. Consider sandboxing or isolating markdown parsing processes to contain potential resource exhaustion impacts without affecting core system components. 5. Review and update incident response plans to include detection and mitigation strategies for regex-based DoS attacks. 6. Conduct security testing and fuzzing on markdown inputs to identify any residual or related parsing inefficiencies. 7. Maintain awareness of updates from the vendor or security community regarding any emerging exploits or patches.