CVE-2026-2327 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the markdown-it package, a popular JavaScript Markdown parser widely used in web applications and content management systems. The vulnerability exists in versions 13.0.0 through 14.1.1 due to the use of the regular expression /\*+$/ within the linkify function. This regex is designed to match sequences of asterisks at the end of strings but is susceptible to catastrophic backtracking when processing input containing a long sequence of '*' characters followed by a non-matching character. An attacker can craft malicious markdown input that triggers this excessive backtracking, causing the regex engine to consume excessive CPU resources and potentially leading to denial of service by slowing down or crashing the application. The vulnerability requires no authentication or user interaction and can be exploited remotely by submitting specially crafted markdown content to applications using the vulnerable markdown-it versions. The CVSS 4.0 score of 6.9 reflects a medium severity, with network attack vector, low complexity, no privileges or user interaction needed, and limited impact primarily on availability. No known exploits have been reported in the wild, but the vulnerability poses a risk to any service processing untrusted markdown input with affected markdown-it versions. The issue can be mitigated by upgrading markdown-it to a version later than 14.1.1 where the regex has been fixed or replaced, or by applying input validation and limiting input length to reduce the risk of triggering the ReDoS condition.

The primary impact of CVE-2026-2327 is denial of service through resource exhaustion. Applications using vulnerable markdown-it versions that process untrusted markdown input can be forced to consume excessive CPU resources, leading to degraded performance or crashes. This can disrupt web services, content management systems, or any platform relying on markdown-it for rendering markdown content. The vulnerability does not directly compromise confidentiality or integrity but can cause availability issues, potentially affecting user experience and operational continuity. Organizations with public-facing applications that accept markdown input are at higher risk, as attackers can remotely exploit this vulnerability without authentication or user interaction. The medium severity rating indicates a significant but not critical threat, emphasizing the importance of timely patching to prevent service disruptions.

To mitigate CVE-2026-2327, organizations should upgrade markdown-it to a version later than 14.1.1 where the vulnerable regex has been corrected. If upgrading is not immediately feasible, applying input validation to restrict the length and content of markdown input can reduce the risk of triggering the ReDoS condition. Implementing rate limiting and request throttling on endpoints that process markdown content can help mitigate the impact of potential attacks. Additionally, monitoring application performance and logs for unusual CPU spikes or slowdowns during markdown processing can provide early detection of exploitation attempts. Developers should review and test any custom regex patterns used in markdown processing to avoid similar ReDoS vulnerabilities. Finally, incorporating security testing tools that detect ReDoS patterns during development can prevent future occurrences.