CVE-2025-58451: 
JavaScript vulnerability analysis and mitigation

Cattown, a JavaScript markdown parser, was found to contain security vulnerabilities in versions prior to 1.0.2. The vulnerability was discovered and disclosed on September 7, 2025, and was assigned CVE-2025-58451. The issue affects the regular expression handling in the markdown parsing functionality, specifically impacting all versions of Cattown below 1.0.2 (GitHub Advisory).

The vulnerability stems from two main technical issues: inefficient regular expression complexity (CWE-1333) and uncontrolled resource consumption (CWE-400). The package used regular expressions with potentially exponential worst-case complexity, which could cause excessive CPU usage due to excessive backtracking on crafted inputs. The CVSS v4.0 base score for this vulnerability is 8.7 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability can lead to denial of service conditions through two primary mechanisms: excessive CPU consumption and resource exhaustion. When processing malicious inputs, the application could experience high CPU or memory usage, potentially affecting service availability. The impact is particularly significant as it requires no user interaction and can be triggered remotely (GitHub Advisory).

The vulnerability has been patched in version 1.0.2 of Cattown. Users are strongly encouraged to upgrade to this version to mitigate the risks. Additionally, it is recommended to review and restrict input sources if untrusted inputs are processed. The patch includes improvements to the inline tokenizer to prevent excessive backtracking and implement input length limits (GitHub Commit).