NodeJS/marked/0.3.14
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
3 Security Vulnerabilities
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Marked ReDoS due to email addresses being evaluated in quadratic time
- https://github.com/markedjs/marked/issues/1070
- https://github.com/advisories/GHSA-xf5p-87ch-gxw2
- https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d
- https://github.com/markedjs/marked/pull/1460
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://www.npmjs.com/advisories/812
- https://github.com/markedjs/marked/releases/tag/v0.6.2
Versions of marked
from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
Upgrade to version 0.6.2 or later.
181 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
15.0.0 | MIT | 2024-11-09 - 03:02 | 6 days | |
14.1.4 | MIT | 2024-11-07 - 17:29 | 7 days | |
14.1.3 | MIT | 2024-10-15 - 04:30 | about 1 month | |
14.1.2 | MIT | 2024-09-08 - 15:31 | 2 months | |
14.1.1 | MIT | 2024-09-04 - 00:12 | 2 months | |
14.1.0 | MIT | 2024-08-26 - 04:00 | 3 months | |
14.0.0 | MIT | 2024-08-07 - 03:37 | 3 months | |
13.0.3 | MIT | 2024-07-28 - 17:34 | 4 months | |
13.0.2 | MIT | 2024-07-04 - 00:10 | 4 months | |
13.0.1 | MIT | 2024-06-24 - 14:54 | 5 months | |
13.0.0 | MIT | 2024-06-12 - 06:10 | 5 months | |
12.0.2 | MIT | 2024-04-19 - 05:13 | 7 months | |
12.0.1 | MIT | 2024-03-06 - 07:43 | 8 months | |
12.0.0 | MIT | 2024-02-03 - 16:27 | 10 months | |
11.2.0 | MIT | 2024-01-27 - 00:32 | 10 months | |
11.1.1 | MIT | 2023-12-31 - 02:33 | 11 months | |
11.1.0 | MIT | 2023-12-12 - 06:08 | 11 months | |
11.0.1 | MIT | 2023-12-08 - 07:23 | 11 months | |
11.0.0 | MIT | 2023-11-29 - 04:02 | 12 months | |
10.0.0 | MIT | 2023-11-11 - 05:55 | about 1 year | |
9.1.6 | MIT | 2023-11-10 - 07:48 | about 1 year | |
9.1.5 | MIT | 2023-11-02 - 04:35 | about 1 year | |
9.1.4 | MIT | 2023-10-31 - 02:02 | about 1 year | |
9.1.3 | MIT | 2023-10-28 - 05:17 | about 1 year | |
9.1.2 | MIT | 2023-10-13 - 19:59 | about 1 year | |
9.1.1 | MIT | 2023-10-11 - 20:28 | about 1 year | |
9.1.0 | MIT | 2023-10-05 - 02:12 | about 1 year | |
9.0.3 | MIT | 2023-09-18 - 17:44 | about 1 year | |
9.0.2 | MIT | 2023-09-16 - 23:30 | about 1 year | |
9.0.1 | MIT | 2023-09-15 - 19:30 | about 1 year | |
9.0.0 | MIT | 2023-09-09 - 23:57 | about 1 year | |
8.0.1 | MIT | 2023-09-06 - 19:03 | about 1 year | |
8.0.0 | MIT | 2023-09-03 - 04:08 | about 1 year | |
7.0.5 | MIT | 2023-08-26 - 16:03 | about 1 year | |
7.0.4 | MIT | 2023-08-19 - 23:04 | about 1 year | |
7.0.3 | MIT | 2023-08-15 - 00:21 | over 1 year | |
7.0.2 | MIT | 2023-08-10 - 05:39 | over 1 year | |
7.0.1 | MIT | 2023-08-07 - 22:56 | over 1 year | |
7.0.0 | MIT | 2023-08-06 - 23:54 | over 1 year | |
6.0.0 | MIT | 2023-07-31 - 21:49 | over 1 year | |
5.1.2 | MIT | 2023-07-25 - 05:13 | over 1 year | |
5.1.1 | MIT | 2023-07-07 - 14:46 | over 1 year | |
5.1.0 | MIT | 2023-06-10 - 03:15 | over 1 year | |
5.0.5 | MIT | 2023-06-07 - 04:24 | over 1 year | |
5.0.4 | MIT | 2023-05-30 - 22:28 | over 1 year | |
5.0.3 | MIT | 2023-05-26 - 16:56 | over 1 year | |
5.0.2 | MIT | 2023-05-11 - 15:20 | over 1 year | |
5.0.1 | MIT | 2023-05-06 - 20:52 | over 1 year | |
5.0.0 | MIT | 2023-05-02 - 04:37 | over 1 year | |
4.3.0 | MIT | 2023-03-22 - 05:54 | over 1 year | |
4.2.12 | MIT | 2023-01-14 - 06:41 | almost 2 years | |
4.2.11 | MIT | 2023-01-14 - 06:28 | almost 2 years | |
4.2.10 | MIT | 2023-01-14 - 06:18 | almost 2 years | |
4.2.9 | MIT | 2023-01-14 - 06:02 | almost 2 years | |
4.2.8 | MIT | 2023-01-14 - 05:07 | almost 2 years | |
4.2.7 | MIT | 2023-01-14 - 04:46 | almost 2 years | |
4.2.6 | MIT | 2023-01-14 - 03:52 | almost 2 years | |
4.2.5 | MIT | 2022-12-23 - 15:42 | almost 2 years | |
4.2.4 | MIT | 2022-12-07 - 07:48 | almost 2 years | |
4.2.3 | MIT | 2022-11-20 - 16:10 | almost 2 years | |
4.2.2 | MIT | 2022-11-05 - 00:44 | about 2 years | |
4.2.1 | MIT | 2022-11-02 - 02:07 | about 2 years | |
4.2.0 | MIT | 2022-10-31 - 23:10 | about 2 years | |
4.1.1 | MIT | 2022-10-01 - 01:35 | about 2 years | |
4.1.0 | MIT | 2022-08-30 - 14:40 | about 2 years | |
4.0.19 | MIT | 2022-08-21 - 16:24 | about 2 years | |
4.0.18 | MIT | 2022-07-11 - 15:17 | over 2 years | |
4.0.17 | MIT | 2022-06-13 - 03:18 | over 2 years | |
4.0.16 | MIT | 2022-05-17 - 13:32 | over 2 years | |
4.0.15 | MIT | 2022-05-02 - 06:14 | over 2 years | |
4.0.14 | MIT | 2022-04-11 - 00:38 | over 2 years | |
4.0.13 | MIT | 2022-04-08 - 01:54 | over 2 years | |
4.0.12 | MIT | 2022-01-27 - 04:12 | almost 3 years | |
4.0.11 | MIT | 2022-01-26 - 21:52 | almost 3 years | |
4.0.10 | MIT | 2022-01-13 - 02:03 | almost 3 years | |
4.0.9 | MIT | 2 | 2022-01-06 - 15:33 | almost 3 years |
4.0.8 | MIT | 2 | 2021-12-19 - 00:22 | almost 3 years |
4.0.7 | MIT | 2 | 2021-12-09 - 23:59 | almost 3 years |
4.0.6 | MIT | 2 | 2021-12-02 - 03:19 | almost 3 years |
4.0.5 | MIT | 2 | 2021-11-25 - 00:12 | almost 3 years |
4.0.4 | MIT | 2 | 2021-11-19 - 14:09 | almost 3 years |
4.0.3 | MIT | 2 | 2021-11-13 - 04:33 | about 3 years |
4.0.2 | MIT | 2 | 2021-11-12 - 21:39 | about 3 years |
4.0.1 | MIT | 2 | 2021-11-11 - 02:35 | about 3 years |
4.0.0 | MIT | 2 | 2021-11-02 - 14:42 | about 3 years |
3.0.8 | MIT | 2 | 2021-10-24 - 05:05 | about 3 years |
3.0.7 | MIT | 2 | 2021-10-07 - 14:02 | about 3 years |
3.0.6 | MIT | 2 | 2021-10-06 - 21:57 | about 3 years |
3.0.5 | MIT | 2 | 2021-10-06 - 20:34 | about 3 years |
3.0.4 | MIT | 2 | 2021-09-14 - 17:50 | about 3 years |
3.0.3 | MIT | 2 | 2021-09-08 - 20:22 | about 3 years |
3.0.2 | MIT | 2 | 2021-08-25 - 02:25 | about 3 years |
3.0.1 | MIT | 2 | 2021-08-23 - 18:49 | about 3 years |
3.0.0 | MIT | 2 | 2021-08-16 - 03:09 | about 3 years |
2.1.3 | MIT | 2 | 2021-06-25 - 20:15 | over 3 years |
2.1.2 | MIT | 2 | 2021-06-22 - 17:27 | over 3 years |
2.1.1 | MIT | 2 | 2021-06-16 - 13:50 | over 3 years |
2.1.0 | MIT | 2 | 2021-06-15 - 23:23 | over 3 years |
2.0.7 | MIT | 2 | 2021-06-01 - 19:28 | over 3 years |
2.0.6 | MIT | 2 | 2021-05-27 - 16:17 | over 3 years |