CVE-2025-6493

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-6493
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6493.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-6493
Downstream
Published
2025-06-22T22:15:22Z
Modified
2025-07-01T16:33:24.687925Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."

References

Affected packages

Debian:11 / codemirror-js

Package

Name
codemirror-js
Purl
pkg:deb/debian/codemirror-js?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.59.2+~cs0.23.109-1
5.62.2+~cs5.83.6-1
5.63.3+~cs5.83.9-1
5.65.0+~cs5.83.9-1
5.65.0+~cs5.83.9-2
5.65.0+~cs5.83.9-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / codemirror-js

Package

Name
codemirror-js
Purl
pkg:deb/debian/codemirror-js?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.65.0+~cs5.83.9-2
5.65.0+~cs5.83.9-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / codemirror-js

Package

Name
codemirror-js
Purl
pkg:deb/debian/codemirror-js?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.65.0+~cs5.83.9-2
5.65.0+~cs5.83.9-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}