CVE-2025-58451: 
JavaScript vulnerability analysis and mitigation

Cattown is a JavaScript markdown parser that contained security vulnerabilities in versions prior to 1.0.2. The vulnerability was discovered and disclosed on September 8, 2025, affecting all versions of Cattown below 1.0.2. The issue was identified through CodeQL static analysis and has been assigned CVE-2025-58451 (GitHub Advisory).

The vulnerability stems from two main issues: inefficient regular expression complexity (CWE-1333) and uncontrolled resource consumption (CWE-400). The package used regular expressions with inefficient, potentially exponential worst-case complexity that could cause excessive CPU usage due to excessive backtracking on crafted inputs. The CVSS v4.0 Base Score is 8.7 (High) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (AttackerKB, NVD).

The vulnerability could lead to denial of service through resource exhaustion, where processing malicious inputs could cause high CPU or memory usage. This could affect service availability and potentially bypass protection mechanisms, causing unexpected or insecure behavior (GitHub Advisory).

The vulnerability has been patched in version 1.0.2 of Cattown. The fix includes improvements to regular expression patterns and implementation of input length limits to prevent resource exhaustion. Users are strongly encouraged to upgrade to version 1.0.2 or later. Additionally, it is recommended to review and restrict input sources if untrusted inputs are processed (GitHub Commit).