CVE-2026-2327 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the markdown-it package, a popular JavaScript library used to parse and render markdown content. The vulnerability exists in versions from 13.0.0 up to 14.1.1 due to the use of the regular expression /\*+$/ within the linkify function. This regex is designed to match trailing asterisks but is susceptible to catastrophic backtracking when presented with a long sequence of asterisks followed by a character that does not match the pattern. An attacker can exploit this by crafting markdown input containing a large number of consecutive asterisks followed by a non-matching character, causing the regex engine to consume excessive CPU resources while attempting to resolve the pattern. This leads to a denial-of-service condition by degrading application performance or causing it to become unresponsive. The vulnerability does not require any privileges, authentication, or user interaction, making it remotely exploitable wherever markdown-it processes untrusted input. The CVSS 4.0 base score of 6.9 reflects a medium severity, considering the network attack vector, low attack complexity, and no required privileges or user interaction. No known exploits are currently reported in the wild. The vulnerability affects any application or service that uses markdown-it for markdown parsing, including web applications, content management systems, and developer tools that accept markdown input from external or untrusted sources.

For European organizations, this vulnerability poses a risk of service disruption through denial-of-service attacks targeting applications that utilize markdown-it for markdown processing. This can affect web services, APIs, and content platforms that accept user-generated markdown content, leading to degraded performance or outages. The impact is particularly relevant for organizations in sectors relying heavily on collaborative documentation, content publishing, or developer tooling, such as technology companies, media, and education. Disruptions could result in loss of availability, impacting business operations and user experience. While the vulnerability does not directly compromise confidentiality or integrity, the denial of service could be leveraged as part of a broader attack strategy to distract or degrade defenses. Additionally, organizations with automated markdown processing pipelines may face operational delays or failures. The medium severity suggests that while the threat is significant, it is not critical, but still warrants prompt remediation to maintain service reliability and security posture.

The primary mitigation is to upgrade markdown-it to a version later than 14.1.1 where the vulnerable regex has been fixed or replaced. If immediate upgrading is not feasible, organizations should implement input validation to detect and reject markdown inputs containing suspiciously long sequences of asterisks or other patterns that could trigger the ReDoS. Rate limiting and request throttling on endpoints processing markdown content can reduce the risk of large-scale exploitation. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious markdown payloads can provide a protective layer. Monitoring application performance metrics and logs for unusual CPU spikes or slowdowns during markdown processing can help detect attempted exploitation. Developers should review markdown processing workflows to isolate untrusted input handling and consider sandboxing or resource limiting regex operations. Regularly applying security patches and maintaining dependency hygiene through automated tools will reduce exposure to similar vulnerabilities.