CVE-2025-42873

Medienbericht

EPSS 0.05%
Veröffentlicht 09.12.2025 02:14:07
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

Denial of Service (DoS) in SAPUI5 framework (Markdown-it component)

SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSAP_SE

≫

Produkt SAPUI5 framework (Markdown-it component)

Default Statusunaffected

Version SAP_UI 755

Status affected

Version 756

Status affected

Version 757

Status affected

Version 758

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.143

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@sap.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-405 Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

https://www.heise.de/news/SAP-Patchday-14-Sicherheitswarnungen-zum-Jahresende-11107757.html

Media Report

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3676970

https://nvd.nist.gov/vuln/detail/CVE-2025-42873

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-42873

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-42873

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-42873