CVE-2025-6493 (Medium) detected in codemirror-5.58.3.tgz #9528
Description
CVE-2025-6493 - Medium Severity Vulnerability
Vulnerable Library - codemirror-5.58.3.tgz
Full-featured in-browser code editor
Library home page: https://registry.npmjs.org/codemirror/-/codemirror-5.58.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ codemirror-5.58.3.tgz (Vulnerable Library)
Found in HEAD commit: d87706978173ac6516da5e83374518c21263b77b
Found in base branch: master
Vulnerability Details
A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
- While the issue was reported up to version 5.17.0, the problematic patterns persisted in versions after that. In version 6.x, the issue has been resolved.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-22
URL: CVE-2025-6493
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here