NodeJS/marked/0.3.9
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
2 Security Vulnerabilities
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Inefficient Regular Expression Complexity in marked
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def
may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
181 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
15.0.0 | MIT | 2024-11-09 - 03:02 | 6 days | |
14.1.4 | MIT | 2024-11-07 - 17:29 | 7 days | |
14.1.3 | MIT | 2024-10-15 - 04:30 | about 1 month | |
14.1.2 | MIT | 2024-09-08 - 15:31 | 2 months | |
14.1.1 | MIT | 2024-09-04 - 00:12 | 2 months | |
14.1.0 | MIT | 2024-08-26 - 04:00 | 3 months | |
14.0.0 | MIT | 2024-08-07 - 03:37 | 3 months | |
13.0.3 | MIT | 2024-07-28 - 17:34 | 4 months | |
13.0.2 | MIT | 2024-07-04 - 00:10 | 4 months | |
13.0.1 | MIT | 2024-06-24 - 14:54 | 5 months | |
13.0.0 | MIT | 2024-06-12 - 06:10 | 5 months | |
12.0.2 | MIT | 2024-04-19 - 05:13 | 7 months | |
12.0.1 | MIT | 2024-03-06 - 07:43 | 8 months | |
12.0.0 | MIT | 2024-02-03 - 16:27 | 10 months | |
11.2.0 | MIT | 2024-01-27 - 00:32 | 10 months | |
11.1.1 | MIT | 2023-12-31 - 02:33 | 11 months | |
11.1.0 | MIT | 2023-12-12 - 06:08 | 11 months | |
11.0.1 | MIT | 2023-12-08 - 07:23 | 11 months | |
11.0.0 | MIT | 2023-11-29 - 04:02 | 12 months | |
10.0.0 | MIT | 2023-11-11 - 05:55 | about 1 year | |
9.1.6 | MIT | 2023-11-10 - 07:48 | about 1 year | |
9.1.5 | MIT | 2023-11-02 - 04:35 | about 1 year | |
9.1.4 | MIT | 2023-10-31 - 02:02 | about 1 year | |
9.1.3 | MIT | 2023-10-28 - 05:17 | about 1 year | |
9.1.2 | MIT | 2023-10-13 - 19:59 | about 1 year | |
9.1.1 | MIT | 2023-10-11 - 20:28 | about 1 year | |
9.1.0 | MIT | 2023-10-05 - 02:12 | about 1 year | |
9.0.3 | MIT | 2023-09-18 - 17:44 | about 1 year | |
9.0.2 | MIT | 2023-09-16 - 23:30 | about 1 year | |
9.0.1 | MIT | 2023-09-15 - 19:30 | about 1 year | |
9.0.0 | MIT | 2023-09-09 - 23:57 | about 1 year | |
8.0.1 | MIT | 2023-09-06 - 19:03 | about 1 year | |
8.0.0 | MIT | 2023-09-03 - 04:08 | about 1 year | |
7.0.5 | MIT | 2023-08-26 - 16:03 | about 1 year | |
7.0.4 | MIT | 2023-08-19 - 23:04 | about 1 year | |
7.0.3 | MIT | 2023-08-15 - 00:21 | over 1 year | |
7.0.2 | MIT | 2023-08-10 - 05:39 | over 1 year | |
7.0.1 | MIT | 2023-08-07 - 22:56 | over 1 year | |
7.0.0 | MIT | 2023-08-06 - 23:54 | over 1 year | |
6.0.0 | MIT | 2023-07-31 - 21:49 | over 1 year | |
5.1.2 | MIT | 2023-07-25 - 05:13 | over 1 year | |
5.1.1 | MIT | 2023-07-07 - 14:46 | over 1 year | |
5.1.0 | MIT | 2023-06-10 - 03:15 | over 1 year | |
5.0.5 | MIT | 2023-06-07 - 04:24 | over 1 year | |
5.0.4 | MIT | 2023-05-30 - 22:28 | over 1 year | |
5.0.3 | MIT | 2023-05-26 - 16:56 | over 1 year | |
5.0.2 | MIT | 2023-05-11 - 15:20 | over 1 year | |
5.0.1 | MIT | 2023-05-06 - 20:52 | over 1 year | |
5.0.0 | MIT | 2023-05-02 - 04:37 | over 1 year | |
4.3.0 | MIT | 2023-03-22 - 05:54 | over 1 year | |
4.2.12 | MIT | 2023-01-14 - 06:41 | almost 2 years | |
4.2.11 | MIT | 2023-01-14 - 06:28 | almost 2 years | |
4.2.10 | MIT | 2023-01-14 - 06:18 | almost 2 years | |
4.2.9 | MIT | 2023-01-14 - 06:02 | almost 2 years | |
4.2.8 | MIT | 2023-01-14 - 05:07 | almost 2 years | |
4.2.7 | MIT | 2023-01-14 - 04:46 | almost 2 years | |
4.2.6 | MIT | 2023-01-14 - 03:52 | almost 2 years | |
4.2.5 | MIT | 2022-12-23 - 15:42 | almost 2 years | |
4.2.4 | MIT | 2022-12-07 - 07:48 | almost 2 years | |
4.2.3 | MIT | 2022-11-20 - 16:10 | almost 2 years | |
4.2.2 | MIT | 2022-11-05 - 00:44 | about 2 years | |
4.2.1 | MIT | 2022-11-02 - 02:07 | about 2 years | |
4.2.0 | MIT | 2022-10-31 - 23:10 | about 2 years | |
4.1.1 | MIT | 2022-10-01 - 01:35 | about 2 years | |
4.1.0 | MIT | 2022-08-30 - 14:40 | about 2 years | |
4.0.19 | MIT | 2022-08-21 - 16:24 | about 2 years | |
4.0.18 | MIT | 2022-07-11 - 15:17 | over 2 years | |
4.0.17 | MIT | 2022-06-13 - 03:18 | over 2 years | |
4.0.16 | MIT | 2022-05-17 - 13:32 | over 2 years | |
4.0.15 | MIT | 2022-05-02 - 06:14 | over 2 years | |
4.0.14 | MIT | 2022-04-11 - 00:38 | over 2 years | |
4.0.13 | MIT | 2022-04-08 - 01:54 | over 2 years | |
4.0.12 | MIT | 2022-01-27 - 04:12 | almost 3 years | |
4.0.11 | MIT | 2022-01-26 - 21:52 | almost 3 years | |
4.0.10 | MIT | 2022-01-13 - 02:03 | almost 3 years | |
4.0.9 | MIT | 2 | 2022-01-06 - 15:33 | almost 3 years |
4.0.8 | MIT | 2 | 2021-12-19 - 00:22 | almost 3 years |
4.0.7 | MIT | 2 | 2021-12-09 - 23:59 | almost 3 years |
4.0.6 | MIT | 2 | 2021-12-02 - 03:19 | almost 3 years |
4.0.5 | MIT | 2 | 2021-11-25 - 00:12 | almost 3 years |
4.0.4 | MIT | 2 | 2021-11-19 - 14:09 | almost 3 years |
4.0.3 | MIT | 2 | 2021-11-13 - 04:33 | about 3 years |
4.0.2 | MIT | 2 | 2021-11-12 - 21:39 | about 3 years |
4.0.1 | MIT | 2 | 2021-11-11 - 02:35 | about 3 years |
4.0.0 | MIT | 2 | 2021-11-02 - 14:42 | about 3 years |
3.0.8 | MIT | 2 | 2021-10-24 - 05:05 | about 3 years |
3.0.7 | MIT | 2 | 2021-10-07 - 14:02 | about 3 years |
3.0.6 | MIT | 2 | 2021-10-06 - 21:57 | about 3 years |
3.0.5 | MIT | 2 | 2021-10-06 - 20:34 | about 3 years |
3.0.4 | MIT | 2 | 2021-09-14 - 17:50 | about 3 years |
3.0.3 | MIT | 2 | 2021-09-08 - 20:22 | about 3 years |
3.0.2 | MIT | 2 | 2021-08-25 - 02:25 | about 3 years |
3.0.1 | MIT | 2 | 2021-08-23 - 18:49 | about 3 years |
3.0.0 | MIT | 2 | 2021-08-16 - 03:09 | about 3 years |
2.1.3 | MIT | 2 | 2021-06-25 - 20:15 | over 3 years |
2.1.2 | MIT | 2 | 2021-06-22 - 17:27 | over 3 years |
2.1.1 | MIT | 2 | 2021-06-16 - 13:50 | over 3 years |
2.1.0 | MIT | 2 | 2021-06-15 - 23:23 | over 3 years |
2.0.7 | MIT | 2 | 2021-06-01 - 19:28 | over 3 years |
2.0.6 | MIT | 2 | 2021-05-27 - 16:17 | over 3 years |