Explanation
The remove-markdown package is vulnerable to a Regular expression Denial of Service (ReDoS) attack. The index.js file uses an insecure regular expression to remove atx-style headers from supplied input data. A remote attacker can exploit this vulnerability by crafting and submitting markdown that contains a header with a large number of consecutive space characters. This will result in a DoS when the application attempts to process the markdown.
Example:
"## aaa bbb".replace(/^(\n)?\s{0,}#{1,6}\s+| {0,}(\n)?\s{0,}#{0,} {0,}(\n)?\s{0,}$/gm, '$1$2$3');
If the space between "aaa" and "bbb" has 50 (or less), no problem.
If the space between "aaa" and "bbb" has more than 100 (or even more), it will be very slow.
Explanation
The remove-markdown package is vulnerable to a Regular expression Denial of Service (ReDoS) attack. The index.js file uses an insecure regular expression to remove atx-style headers from supplied input data. A remote attacker can exploit this vulnerability by crafting and submitting markdown that contains a header with a large number of consecutive space characters. This will result in a DoS when the application attempts to process the markdown.
Example:
"## aaa bbb".replace(/^(\n)?\s{0,}#{1,6}\s+| {0,}(\n)?\s{0,}#{0,} {0,}(\n)?\s{0,}$/gm, '$1$2$3');
If the space between "aaa" and "bbb" has 50 (or less), no problem.
If the space between "aaa" and "bbb" has more than 100 (or even more), it will be very slow.