fix: prevent ReDoS in inline link regex title group#3902
fix: prevent ReDoS in inline link regex title group#3902UziTech merged 1 commit intomarkedjs:masterfrom
Conversation
The title separator in the link regex used [ \t]* which allowed the title group to be probed at every backtrack position of the greedy href group. On long single-line input containing [text]( patterns without a nearby closing ), this produced O(n²) per regex call and O(n³) in the full inline tokenizer. Change [ \t]* to [ \t]+|\n to require actual whitespace before the title. This matches CommonMark spec requirements and eliminates the backtracking cascade. Before: 18K input takes ~36 seconds (event loop blocked) After: 18K input takes ~45ms
Summary of ChangesHello @tzonghao, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves a critical performance vulnerability (ReDoS) within the Markdown parser's inline link processing. By refining the regular expression used for link titles, it prevents excessive backtracking on certain inputs, leading to a substantial improvement in parsing efficiency and system stability when encountering malformed Markdown links. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a critical Regular Expression Denial of Service (ReDoS) vulnerability in the inline link regex. The modification to the regex ensures stricter adherence to the CommonMark specification for title separators, preventing excessive backtracking. The addition of a dedicated test case for this specific ReDoS scenario is a valuable improvement, enhancing the robustness and reliability of the parser.
|
@tzonghao is attempting to deploy a commit to the MarkedJS Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
Pull request overview
This PR fixes a ReDoS (Regular Expression Denial of Service) vulnerability in the inline link regex pattern by changing the title separator from [ \t]* to [ \t]+|\n. This prevents catastrophic backtracking on malicious input while maintaining CommonMark specification compliance.
Changes:
- Modified the inline link regex to require actual whitespace (at least one space/tab or a newline) before attempting to match the title group, eliminating O(n²) backtracking per regex call
- Added a ReDoS test case that validates the fix by testing 1000 repeated
a[b](cpatterns without closing parentheses
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/rules.ts | Updated link regex pattern to change title separator from [ \t]* to `[ \t]+ |
| test/specs/redos/cubic_link_title.cjs | Added test case with 1000 repeated incomplete link patterns to verify the ReDoS vulnerability is fixed |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
## [17.0.4](v17.0.3...v17.0.4) (2026-03-04) ### Bug Fixes * prevent ReDoS in inline link regex title group ([#3902](#3902)) ([46fb9b8](46fb9b8))
The title separator in the link regex used [ \t]* which allowed the title group to be probed at every backtrack position of the greedy href group. On long single-line input containing [text]( patterns without a nearby closing ), this produced O(n²) per regex call and O(n³) in the full inline tokenizer.
Change [ \t]* to [ \t]+|\n to require actual whitespace before the title. This matches CommonMark spec requirements and eliminates the backtracking cascade.
Before: 18K input takes ~36 seconds (event loop blocked)
After: 18K input takes ~45ms
Marked version:
Markdown flavor: Markdown.pl|CommonMark|GitHub Flavored Markdown|n/a
Description
Contributor
Committer
In most cases, this should be a different person than the contributor.