Exponential Backtracking Vulnerability in Zulip Server Markdown Parser

Exponential Backtracking Vulnerability in Zulip Server Markdown Parser

CVE-2019-16215 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.

Learn more about our Cis Benchmark Audit For Server Software.