VDB
CVE-2025-9670
CVE-2025-9670
PUBLISHED
CVSS 6.900000095367432 MEDIUM
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
EPSS 0.09% · 25.2th percentile
Risk Scores
CVSS 4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
EPSS Score
0.09%
25.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| mixmark-io | turndown | 7.2.0, 7.2.1, 7.2.0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-9670 (circl-sighting)
- CIRCL seen: CVE-2025-9670 (circl-sighting)
- VDB-321880 | mixmark-io turndown commonmark-rules.js redos (circl)
- VDB-321880 | CTI Indicators (IOB, IOC, TTP, IOA) (circl)
- Submit #637911 | turndown npm v7.2.1 Inefficient Regular Expression Complexity (circl)
- https://github.com/mixmark-io/turndown/issues/501 (circl)
- https://github.com/mixmark-io/turndown/issues/501#issue-3336342088 (cve.org)
Timeline
- Aug 29, 2025 CVE Published
- Aug 29, 2025 CVE Updated
- Aug 29, 2025 PoC Published
- Aug 30, 2025 EPSS Score
- Sep 7, 2025 EPSS Score
- Sep 14, 2025 EPSS Score
- Sep 22, 2025 EPSS Score
- Sep 30, 2025 EPSS Score
- Oct 7, 2025 EPSS Score
- Oct 15, 2025 EPSS Score
- Oct 23, 2025 EPSS Score
- Oct 31, 2025 EPSS Score
References
- VDB-321880 | mixmark-io turndown commonmark-rules.js redos vdb
- VDB-321880 | CTI Indicators (IOB, IOC, TTP, IOA) url
- Submit #637911 | turndown npm v7.2.1 Inefficient Regular Expression Complexity third-party-advisory
- https://github.com/mixmark-io/turndown/issues/501 issue
- https://github.com/mixmark-io/turndown/issues/501#issue-3336342088 exploit
- https://nvd.nist.gov/vuln/detail/CVE-2025-9670 advisory