CVE-2016-10520

Name of the Vulnerable Software and Affected Versions jadedown (affected versions not specified)

Description The issue concerns a regular expression denial of service (ReDoS) vulnerability. It occurs when certain types of user input are passed in, causing the software to become unresponsive. The estimated time to block the service can be as low as 5 seconds with a relatively small input size of 48 characters. This vulnerability was identified on October 24, 2015, and maintainers were notified the same day. They responded with intent to fix on October 25, 2015. An advisory was published on January 5, 2016.

Recommendations As a temporary workaround, consider refactoring the dependent application to not make use of the jadedown module, especially if it is used to process user input, since the package is not actively maintained and has not seen an update since 2011. At the moment, there is no information about a newer version that contains a fix for this vulnerability.