SecuriTricks - CVE-2025-42873

Description

SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.

Product(s) Impacted

Vendor	Product	Versions
Sap	Sapui5 Openui5	* *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-405

Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	sap	sapui5	/	/	/	/	/	/	/	/
a	sap	openui5	/	/	/	/	/	/	/	/

References

https://me.sap.com/notes/3676970

https://url.sap/sapsecuritypatchday

CVSS Score

5.9 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Dec. 9, 2025, 4:17 p.m.
Last Modified: Dec. 9, 2025, 6:36 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cna@sap.com

CVE-2025-42873