NodeJS/marked/0.1.7
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
16 Security Vulnerabilities
Moderate severity vulnerability that affects marked
Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set.
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Marked vulnerable to XSS from data URIs
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
- https://github.com/advisories/GHSA-7px7-7xjx-hxm8
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
- https://snyk.io/vuln/npm:marked:20170112
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
Cross-Site Scripting in marked
Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity
Multiple Content Injection Vulnerabilities in marked
Versions 0.3.0 and earlier of marked
are affected by two cross-site scripting vulnerabilities, even when sanitize: true
is set.
The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs.
Recommendation
Upgrade to version 0.3.1 or later.
VBScript Content Injection in marked
- https://nvd.nist.gov/vuln/detail/CVE-2015-1370
- https://github.com/advisories/GHSA-cfjh-p3g4-3q2f
- https://github.com/markedjs/marked/issues/492
- https://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1
- https://www.npmjs.com/advisories/24
- https://www.npmjs.com/advisories/24/versions
- https://github.com/chjj/marked/issues/492
- https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba
- https://nodesecurity.io/advisories/marked_vbscript_injection
- http://www.openwall.com/lists/oss-security/2015/01/23/2
Versions 0.3.2 and earlier of marked
are affected by a cross-site scripting vulnerability even when sanitize:true
is set.
Proof of Concept ( IE10 Compatibility Mode Only )
[xss link](vbscript:alert(1))
will get a link
<a href="vbscript:alert(1)">xss link</a>
Recommendation
Update to version 0.3.3 or later.
Moderate severity vulnerability that affects marked
Withdrawn
This advisory has been withdrawn, per NVD: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
Original Description
A Regular expression Denial of Service (ReDoS) vulnerability in the file marked.js of the marked npm package (tested on version 0.3.7) allows a remote attacker to overload and crash a server by passing a maliciously crafted string.
Regular Expression Denial of Service in marked
- https://nvd.nist.gov/vuln/detail/CVE-2015-8854
- https://github.com/advisories/GHSA-hjcp-j389-59ff
- https://github.com/chjj/marked/issues/497
- https://www.npmjs.com/advisories/23
- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
- https://nodesecurity.io/advisories/23
- https://support.f5.com/csp/article/K05052081?utm_source=f5support&utm_medium=RSS
- http://www.openwall.com/lists/oss-security/2016/04/20/11
Versions 0.3.3 and earlier of marked
are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the em
inline rule.
Recommendation
Update to version 0.3.4 or later.
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Sanitization bypass using HTML Entities in marked
- https://nvd.nist.gov/vuln/detail/CVE-2016-10531
- https://github.com/advisories/GHSA-vfvf-mqq8-rwqc
- https://github.com/chjj/marked/pull/592
- https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
- https://www.npmjs.com/advisories/101
- https://nodesecurity.io/advisories/101
Affected versions of marked
are susceptible to a cross-site scripting vulnerability in link components when sanitize:true
is configured.
Proof of Concept
This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.
For example:
A link URI such as
javascript֍ocument;alert(1)
Renders a valid link that when clicked will execute alert(1)
.
Recommendation
Update to version 0.3.6 or later.
Content injection in marked
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.
Regular Expression Denial of Service in marked
Affected versions of marked
are vulnerable to a regular expression denial of service.
The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.
Recommendation
Update to version 0.3.9 or later.
Sanitization bypass using HTML Entities
marked is an application that is meant to parse and compile markdown.
Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true
) to inject a javascript:
URL.
This flaw exists because &#xNNanything;
gets parsed to what it could and leaves the rest behind, resulting in just anything;
being left.
For example:
If a malicious user could provide this input to the application javascript֍ocument;alert(1)
resulting in a valid link, that when a user clicked it would execute alert(1)
.
Multiple Content Injection Vulnerabilities
Marked comes with an option to sanitize user output to help protect against content injection attacks.
sanitize: true
Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.
Injection is possible in two locations
- gfm codeblocks (language)
- javascript url's
Regular Expression Denial of Service
Marked 0.3.3 and earlier is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
[1]
Marked's catastrophic backtracking issue for the em
inline rule has now been patched in 0.3.4.
VBScript Content Injection
Marked 0.3.2 and earlier is vulnerable to content injection even when sanitize: true
is enabled.
[xss link](vbscript:alert(1))
will get a link
<a href="vbscript:alert(1)">xss link</a>
this script does not work in IE 11 edge mode, but works in IE 10 compatibility view.
181 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
15.0.0 | MIT | 2024-11-09 - 03:02 | 6 days | |
14.1.4 | MIT | 2024-11-07 - 17:29 | 7 days | |
14.1.3 | MIT | 2024-10-15 - 04:30 | about 1 month | |
14.1.2 | MIT | 2024-09-08 - 15:31 | 2 months | |
14.1.1 | MIT | 2024-09-04 - 00:12 | 2 months | |
14.1.0 | MIT | 2024-08-26 - 04:00 | 3 months | |
14.0.0 | MIT | 2024-08-07 - 03:37 | 3 months | |
13.0.3 | MIT | 2024-07-28 - 17:34 | 4 months | |
13.0.2 | MIT | 2024-07-04 - 00:10 | 4 months | |
13.0.1 | MIT | 2024-06-24 - 14:54 | 5 months | |
13.0.0 | MIT | 2024-06-12 - 06:10 | 5 months | |
12.0.2 | MIT | 2024-04-19 - 05:13 | 7 months | |
12.0.1 | MIT | 2024-03-06 - 07:43 | 8 months | |
12.0.0 | MIT | 2024-02-03 - 16:27 | 10 months | |
11.2.0 | MIT | 2024-01-27 - 00:32 | 10 months | |
11.1.1 | MIT | 2023-12-31 - 02:33 | 11 months | |
11.1.0 | MIT | 2023-12-12 - 06:08 | 11 months | |
11.0.1 | MIT | 2023-12-08 - 07:23 | 11 months | |
11.0.0 | MIT | 2023-11-29 - 04:02 | 12 months | |
10.0.0 | MIT | 2023-11-11 - 05:55 | about 1 year | |
9.1.6 | MIT | 2023-11-10 - 07:48 | about 1 year | |
9.1.5 | MIT | 2023-11-02 - 04:35 | about 1 year | |
9.1.4 | MIT | 2023-10-31 - 02:02 | about 1 year | |
9.1.3 | MIT | 2023-10-28 - 05:17 | about 1 year | |
9.1.2 | MIT | 2023-10-13 - 19:59 | about 1 year | |
9.1.1 | MIT | 2023-10-11 - 20:28 | about 1 year | |
9.1.0 | MIT | 2023-10-05 - 02:12 | about 1 year | |
9.0.3 | MIT | 2023-09-18 - 17:44 | about 1 year | |
9.0.2 | MIT | 2023-09-16 - 23:30 | about 1 year | |
9.0.1 | MIT | 2023-09-15 - 19:30 | about 1 year | |
9.0.0 | MIT | 2023-09-09 - 23:57 | about 1 year | |
8.0.1 | MIT | 2023-09-06 - 19:03 | about 1 year | |
8.0.0 | MIT | 2023-09-03 - 04:08 | about 1 year | |
7.0.5 | MIT | 2023-08-26 - 16:03 | about 1 year | |
7.0.4 | MIT | 2023-08-19 - 23:04 | about 1 year | |
7.0.3 | MIT | 2023-08-15 - 00:21 | over 1 year | |
7.0.2 | MIT | 2023-08-10 - 05:39 | over 1 year | |
7.0.1 | MIT | 2023-08-07 - 22:56 | over 1 year | |
7.0.0 | MIT | 2023-08-06 - 23:54 | over 1 year | |
6.0.0 | MIT | 2023-07-31 - 21:49 | over 1 year | |
5.1.2 | MIT | 2023-07-25 - 05:13 | over 1 year | |
5.1.1 | MIT | 2023-07-07 - 14:46 | over 1 year | |
5.1.0 | MIT | 2023-06-10 - 03:15 | over 1 year | |
5.0.5 | MIT | 2023-06-07 - 04:24 | over 1 year | |
5.0.4 | MIT | 2023-05-30 - 22:28 | over 1 year | |
5.0.3 | MIT | 2023-05-26 - 16:56 | over 1 year | |
5.0.2 | MIT | 2023-05-11 - 15:20 | over 1 year | |
5.0.1 | MIT | 2023-05-06 - 20:52 | over 1 year | |
5.0.0 | MIT | 2023-05-02 - 04:37 | over 1 year | |
4.3.0 | MIT | 2023-03-22 - 05:54 | over 1 year | |
4.2.12 | MIT | 2023-01-14 - 06:41 | almost 2 years | |
4.2.11 | MIT | 2023-01-14 - 06:28 | almost 2 years | |
4.2.10 | MIT | 2023-01-14 - 06:18 | almost 2 years | |
4.2.9 | MIT | 2023-01-14 - 06:02 | almost 2 years | |
4.2.8 | MIT | 2023-01-14 - 05:07 | almost 2 years | |
4.2.7 | MIT | 2023-01-14 - 04:46 | almost 2 years | |
4.2.6 | MIT | 2023-01-14 - 03:52 | almost 2 years | |
4.2.5 | MIT | 2022-12-23 - 15:42 | almost 2 years | |
4.2.4 | MIT | 2022-12-07 - 07:48 | almost 2 years | |
4.2.3 | MIT | 2022-11-20 - 16:10 | almost 2 years | |
4.2.2 | MIT | 2022-11-05 - 00:44 | about 2 years | |
4.2.1 | MIT | 2022-11-02 - 02:07 | about 2 years | |
4.2.0 | MIT | 2022-10-31 - 23:10 | about 2 years | |
4.1.1 | MIT | 2022-10-01 - 01:35 | about 2 years | |
4.1.0 | MIT | 2022-08-30 - 14:40 | about 2 years | |
4.0.19 | MIT | 2022-08-21 - 16:24 | about 2 years | |
4.0.18 | MIT | 2022-07-11 - 15:17 | over 2 years | |
4.0.17 | MIT | 2022-06-13 - 03:18 | over 2 years | |
4.0.16 | MIT | 2022-05-17 - 13:32 | over 2 years | |
4.0.15 | MIT | 2022-05-02 - 06:14 | over 2 years | |
4.0.14 | MIT | 2022-04-11 - 00:38 | over 2 years | |
4.0.13 | MIT | 2022-04-08 - 01:54 | over 2 years | |
4.0.12 | MIT | 2022-01-27 - 04:12 | almost 3 years | |
4.0.11 | MIT | 2022-01-26 - 21:52 | almost 3 years | |
4.0.10 | MIT | 2022-01-13 - 02:03 | almost 3 years | |
4.0.9 | MIT | 2 | 2022-01-06 - 15:33 | almost 3 years |
4.0.8 | MIT | 2 | 2021-12-19 - 00:22 | almost 3 years |
4.0.7 | MIT | 2 | 2021-12-09 - 23:59 | almost 3 years |
4.0.6 | MIT | 2 | 2021-12-02 - 03:19 | almost 3 years |
4.0.5 | MIT | 2 | 2021-11-25 - 00:12 | almost 3 years |
4.0.4 | MIT | 2 | 2021-11-19 - 14:09 | almost 3 years |
4.0.3 | MIT | 2 | 2021-11-13 - 04:33 | about 3 years |
4.0.2 | MIT | 2 | 2021-11-12 - 21:39 | about 3 years |
4.0.1 | MIT | 2 | 2021-11-11 - 02:35 | about 3 years |
4.0.0 | MIT | 2 | 2021-11-02 - 14:42 | about 3 years |
3.0.8 | MIT | 2 | 2021-10-24 - 05:05 | about 3 years |
3.0.7 | MIT | 2 | 2021-10-07 - 14:02 | about 3 years |
3.0.6 | MIT | 2 | 2021-10-06 - 21:57 | about 3 years |
3.0.5 | MIT | 2 | 2021-10-06 - 20:34 | about 3 years |
3.0.4 | MIT | 2 | 2021-09-14 - 17:50 | about 3 years |
3.0.3 | MIT | 2 | 2021-09-08 - 20:22 | about 3 years |
3.0.2 | MIT | 2 | 2021-08-25 - 02:25 | about 3 years |
3.0.1 | MIT | 2 | 2021-08-23 - 18:49 | about 3 years |
3.0.0 | MIT | 2 | 2021-08-16 - 03:09 | about 3 years |
2.1.3 | MIT | 2 | 2021-06-25 - 20:15 | over 3 years |
2.1.2 | MIT | 2 | 2021-06-22 - 17:27 | over 3 years |
2.1.1 | MIT | 2 | 2021-06-16 - 13:50 | over 3 years |
2.1.0 | MIT | 2 | 2021-06-15 - 23:23 | over 3 years |
2.0.7 | MIT | 2 | 2021-06-01 - 19:28 | over 3 years |
2.0.6 | MIT | 2 | 2021-05-27 - 16:17 | over 3 years |