Skip to main content
CVE Vulnerability Database

CVE-2025-9670: Turndown Library RCE Vulnerability

CVE-2025-9670 is a remote code execution vulnerability in mixmark-io turndown library up to version 7.2.1 caused by inefficient regex complexity. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9670 Overview

CVE-2025-9670 is a regular expression denial of service (ReDoS) vulnerability in the mixmark-io turndown library through version 7.2.1. The flaw resides in the src/commonmark-rules.js file and stems from inefficient regular expression complexity [CWE-400]. An attacker can trigger the condition remotely by supplying crafted input that forces catastrophic backtracking. Public exploit details have been released, increasing the risk of opportunistic exploitation against applications that convert untrusted HTML to Markdown using turndown.

Critical Impact

Remote attackers can degrade availability of applications embedding turndown by submitting malicious HTML that triggers pathological regex processing.

Affected Products

  • mixmark-io turndown versions up to and including 7.2.1
  • Node.js applications that invoke turndown against attacker-controlled HTML
  • Web services and pipelines performing HTML-to-Markdown conversion with turndown

Discovery Timeline

  • 2025-08-29 - CVE-2025-9670 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9670

Vulnerability Analysis

The turndown library converts HTML into Markdown using a set of rules defined in src/commonmark-rules.js. One or more regular expressions in these rules exhibit inefficient complexity when processing certain input patterns. When the regex engine encounters carefully crafted strings, it enters catastrophic backtracking. This consumes CPU cycles disproportionately to the input size. The condition is classified under [CWE-400] Uncontrolled Resource Consumption. Attackers do not require authentication or user interaction to exploit the flaw. The impact is limited to availability, with no direct effect on confidentiality or integrity of processed data. Applications that expose turndown to network-reachable inputs, such as content ingestion APIs, comment systems, or note-taking services, face the highest risk of service degradation.

Root Cause

The root cause is a poorly bounded regular expression pattern within the commonmark ruleset. The pattern permits ambiguous matching paths that expand exponentially with certain input sequences. Details are tracked in the upstream GitHub issue #501.

Attack Vector

The attack vector is network-based. An attacker submits crafted HTML through any interface that feeds turndown, such as REST endpoints, WebSocket messages, or message queues. Processing a single malicious payload can pin a Node.js event loop thread on regex evaluation, blocking legitimate requests. Repeated submissions can extend the denial of service across worker processes.

No verified exploit code is included here. Refer to the VulDB entry #321880 and the upstream issue discussion for technical details.

Detection Methods for CVE-2025-9670

Indicators of Compromise

  • Sustained CPU saturation in Node.js processes hosting turndown with a stalled or unresponsive event loop.
  • Request timeouts or 5xx responses from endpoints that accept HTML for Markdown conversion.
  • Inbound HTTP payloads containing long repeating character sequences targeting HTML link, emphasis, or code-fence patterns.

Detection Strategies

  • Inventory package.json and package-lock.json files across repositories and build artifacts to identify turndown versions at or below 7.2.1.
  • Instrument application logs to capture request duration and payload size for endpoints invoking turndown, then alert on outliers.
  • Correlate spikes in Node.js CPU utilization with recent inbound HTTP request bodies to isolate malicious inputs.

Monitoring Recommendations

  • Enable event-loop lag metrics and set alert thresholds for sustained lag above normal baselines.
  • Monitor container and pod resource usage for services performing HTML-to-Markdown conversion.
  • Track dependency scanner findings for turndown and gate deployments on updated versions once a fixed release is available.

How to Mitigate CVE-2025-9670

Immediate Actions Required

  • Identify all applications and services that depend on turndown at version 7.2.1 or earlier.
  • Restrict turndown to trusted input sources or gate untrusted HTML behind a size and complexity limit.
  • Deploy request-level timeouts around turndown invocations to prevent single requests from monopolizing CPU.
  • Rate limit endpoints that expose HTML-to-Markdown conversion functionality.

Patch Information

At the time of publication, no fixed release is referenced in the NVD entry. Track the upstream GitHub issue #501 and the mixmark-io repository for a patched version and upgrade as soon as it is available.

Workarounds

  • Wrap turndown calls in a worker thread or child process with a strict execution timeout, then terminate on timeout.
  • Enforce an upper bound on input length before invoking turndown, rejecting payloads that exceed the operational maximum.
  • Sanitize or normalize input HTML with a well-maintained parser before passing content to turndown.
  • Isolate conversion workloads in dedicated processes so that a denial of service does not affect the primary application.
bash
# Configuration example: enforce a hard timeout around turndown conversion
node --experimental-worker convert.js --max-input-bytes=65536 --conversion-timeout-ms=500

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.