CVE-2025-42873
📋 TL;DR
This CVE describes a denial-of-service vulnerability in SAPUI5/OpenUI5 where malformed markdown input triggers an infinite loop in the outdated markdown-it library, causing high CPU usage and system unresponsiveness. Only availability is affected, not confidentiality or integrity. Organizations using vulnerable SAPUI5/OpenUI5 versions are at risk.
💻 Affected Systems
- SAPUI5
- OpenUI5
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to CPU exhaustion, affecting all users and potentially cascading to dependent systems.
Likely Case
Degraded performance or temporary unavailability of specific SAPUI5/OpenUI5 applications until the infinite loop is terminated.
If Mitigated
Minimal impact with proper input validation and monitoring that detects and terminates runaway processes quickly.
🎯 Exploit Status
Exploitation requires sending malformed markdown input to vulnerable systems
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SAP Note 3676970 for specific patched versions
Vendor Advisory: https://me.sap.com/notes/3676970
Restart Required: Yes
Instructions:
1. Review SAP Note 3676970 for affected versions and patches
2. Apply SAP Security Patch Day updates for your SAPUI5/OpenUI5 installation
3. Restart affected services after patching
4. Verify the update was successful
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject or sanitize malformed markdown content before processing
Implementation depends on specific application architecture
Process Monitoring and Termination
allConfigure monitoring to detect and terminate processes with abnormal CPU usage patterns
Implementation depends on operating system and monitoring tools
🧯 If You Can't Patch
- Implement strict input validation for all markdown processing
- Deploy monitoring with automated termination of high-CPU processes
🔍 How to Verify
Check if Vulnerable:
Check SAPUI5/OpenUI5 version against affected versions listed in SAP Note 3676970Check Version:
Check SAPUI5/OpenUI5 version through SAP administration tools or application metadataVerify Fix Applied:
Verify installed version matches patched version from SAP Note 3676970 and test with safe markdown input📡 Detection & Monitoring
Log Indicators:
- Sustained high CPU usage alerts
- Process timeout or termination logs
- Application error logs related to markdown processing
Network Indicators:
- Unusually large or malformed markdown content in requests
SIEM Query:
Example: (process_name:"ui5" OR application:"SAPUI5") AND (cpu_usage:>90 AND duration:>60s)