GHSA-5478-66c3-rhxr: Pretext: Algorithmic Complexity (DoS) in the text analysis phase

April 8, 2026

isRepeatedSingleCharRun() in src/analysis.ts (line 285) re-scans the entire accumulated segment on every merge iteration during text analysis, producing O(n²) total work for input consisting of repeated identical punctuation characters. An attacker who controls text passed to prepare() can block the main thread for ~20 seconds with 80KB of input (e.g., "(".repeat(80_000)).

Tested against commit 9364741d3562fcc65aacc50953e867a5cb9fdb23 (v0.0.4) on Node.js v24.12.0, Windows x64.

A standalone PoC and detailed write-up are attached below.

References

github.com/advisories/GHSA-5478-66c3-rhxr
github.com/chenglou/pretext
github.com/chenglou/pretext/releases/tag/v0.0.5
github.com/chenglou/pretext/security/advisories/GHSA-5478-66c3-rhxr

Code Behaviors & Features

Detect and mitigate GHSA-5478-66c3-rhxr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →