NodeJS/marked/1.2.2
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service (REDoS) in Marked
Published date: 2021-02-08T21:17:58Z
CVE: CVE-2021-21306
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
- https://nvd.nist.gov/vuln/detail/CVE-2021-21306
- https://github.com/advisories/GHSA-4r62-v4vq-hr96
- https://github.com/markedjs/marked/issues/1927
- https://github.com/markedjs/marked/pull/1864
- https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
- https://www.npmjs.com/package/marked
Impact
What kind of vulnerability is it? Who is impacted?
Regular expression Denial of Service
A Denial of Service attack can affect anyone who runs user generated code through marked.
Patches
Has the problem been patched? What versions should users upgrade to?
patched in v2.0.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
None.
References
Are there any links users can visit to find out more?
https://github.com/markedjs/marked/issues/1927 https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory: * Open an issue in marked
Affected versions:
["1.1.1", "1.2.0", "1.1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9"]
Secure versions:
[4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0]
Recommendation:
Update to version 15.0.0.
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:46Z
CVE: CVE-2022-21681
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.1", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.4-1", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.9", "0.3.12", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0]
Recommendation:
Update to version 15.0.0.
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:41Z
CVE: CVE-2022-21680
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.1", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.4-1", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.9", "0.3.12", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0]
Recommendation:
Update to version 15.0.0.
181 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.0.5 | MIT | 2 | 2021-05-21 - 20:54 | over 3 years |
| 2.0.4 | MIT | 2 | 2021-05-20 - 13:44 | over 3 years |
| 2.0.3 | MIT | 2 | 2021-04-11 - 19:09 | over 3 years |
| 2.0.2 | MIT | 2 | 2021-04-10 - 20:23 | over 3 years |
| 2.0.1 | MIT | 2 | 2021-02-27 - 05:52 | over 3 years |
| 2.0.0 | MIT | 2 | 2021-02-07 - 22:26 | almost 4 years |
| 1.2.9 | MIT | 3 | 2021-02-03 - 19:48 | almost 4 years |
| 1.2.8 | MIT | 3 | 2021-01-26 - 14:21 | almost 4 years |
| 1.2.7 | MIT | 3 | 2020-12-15 - 20:15 | almost 4 years |
| 1.2.6 | MIT | 3 | 2020-12-10 - 16:30 | almost 4 years |
| 1.2.5 | MIT | 3 | 2020-11-19 - 14:32 | almost 4 years |
| 1.2.4 | MIT | 3 | 2020-11-15 - 02:05 | almost 4 years |
| 1.2.3 | MIT | 3 | 2020-11-04 - 21:25 | about 4 years |
| 1.2.2 | MIT | 3 | 2020-10-21 - 14:58 | about 4 years |
| 1.2.1 | MIT | 3 | 2020-10-21 - 14:51 | about 4 years |
| 1.2.0 | MIT | 3 | 2020-09-28 - 05:09 | about 4 years |
| 1.1.2 | MIT | 3 | 2020-10-21 - 14:40 | about 4 years |
| 1.1.1 | MIT | 3 | 2020-07-14 - 01:54 | over 4 years |
| 1.1.0 | MIT | 2 | 2020-05-16 - 21:45 | over 4 years |
| 1.0.0 | MIT | 2 | 2020-04-21 - 01:07 | over 4 years |
| 0.8.2 | MIT | 2 | 2020-03-22 - 15:44 | over 4 years |
| 0.8.1 | MIT | 2 | 2020-03-18 - 21:44 | over 4 years |
| 0.8.0 | MIT | 2 | 2019-12-12 - 20:49 | almost 5 years |
| 0.7.0 | MIT | 2 | 2019-07-06 - 04:13 | over 5 years |
| 0.6.3 | MIT | 3 | 2019-06-30 - 02:11 | over 5 years |
| 0.6.2 | MIT | 3 | 2019-04-05 - 14:32 | over 5 years |
| 0.6.1 | MIT | 4 | 2019-02-19 - 20:03 | over 5 years |
| 0.6.0 | MIT | 5 | 2019-01-01 - 00:49 | almost 6 years |
| 0.5.2 | MIT | 5 | 2018-11-20 - 00:04 | almost 6 years |
| 0.5.1 | MIT | 5 | 2018-09-26 - 01:51 | about 6 years |
| 0.5.0 | MIT | 5 | 2018-08-16 - 22:07 | about 6 years |
| 0.4.0 | MIT | 4 | 2018-05-21 - 13:05 | over 6 years |
| 0.3.19 | MIT | 3 | 2018-03-26 - 02:59 | over 6 years |
| 0.3.18 | MIT | 3 | 2018-03-22 - 17:01 | over 6 years |
| 0.3.17 | MIT | 3 | 2018-02-27 - 13:07 | over 6 years |
| 0.3.16 | MIT | 3 | 2018-02-20 - 20:56 | over 6 years |
| 0.3.15 | MIT | 3 | 2018-02-19 - 04:26 | over 6 years |
| 0.3.14 | MIT | 3 | 2018-02-16 - 13:35 | over 6 years |
| 0.3.13 | MIT | 2 | 2018-02-16 - 13:33 | over 6 years |
| 0.3.12 | MIT | 2 | 2018-01-09 - 00:10 | almost 7 years |
| 0.3.9 | MIT | 2 | 2017-12-23 - 18:05 | almost 7 years |
| 0.3.7 | MIT | 6 | 2017-12-01 - 18:08 | almost 7 years |
| 0.3.6 | MIT | 7 | 2016-07-30 - 03:10 | over 8 years |
| 0.3.5 | MIT | 9 | 2015-07-31 - 09:41 | over 9 years |
| 0.3.4 | MIT | 9 | 2015-07-29 - 10:18 | over 9 years |
| 0.3.3 | MIT | 11 | 2015-01-25 - 23:54 | almost 10 years |
| 0.3.2 | MIT | 14 | 2014-03-10 - 07:25 | over 10 years |
| 0.3.1 | MIT | 14 | 2014-01-31 - 23:07 | almost 11 years |
| 0.3.0 | MIT | 16 | 2013-12-24 - 14:14 | almost 11 years |
| 0.2.10 | MIT | 16 | 2013-11-02 - 23:12 | about 11 years |
| 0.2.9 | MIT | 16 | 2013-05-29 - 01:43 | over 11 years |
| 0.2.8 | MIT | 16 | 2013-02-02 - 02:40 | almost 12 years |
| 0.2.7 | MIT | 16 | 2013-01-05 - 13:28 | almost 12 years |
| 0.2.6 | MIT | 16 | 2012-11-23 - 16:09 | almost 12 years |
| 0.2.5 | MIT | 16 | 2012-05-11 - 17:33 | over 12 years |
| 0.2.4 | MIT | 16 | 2012-04-12 - 07:31 | over 12 years |
| 0.2.4-1 | MIT | 16 | 2012-04-21 - 21:46 | over 12 years |
| 0.2.3 | MIT | 16 | 2012-03-11 - 07:46 | over 12 years |
| 0.2.2 | MIT | 16 | 2012-03-10 - 22:38 | over 12 years |
| 0.2.2-1 | MIT | 16 | 2012-03-10 - 22:44 | over 12 years |
| 0.2.1 | MIT | 16 | 2012-02-20 - 15:20 | over 12 years |
| 0.2.0 | MIT | 16 | 2012-02-16 - 19:56 | over 12 years |
| 0.1.9 | MIT | 16 | 2012-01-30 - 18:19 | almost 13 years |
| 0.1.8 | MIT | 16 | 2012-01-25 - 21:00 | almost 13 years |
| 0.1.7 | MIT | 16 | 2012-01-21 - 15:35 | almost 13 years |
| 0.1.6 | MIT | 16 | 2012-01-15 - 13:17 | almost 13 years |
| 0.1.5 | MIT | 16 | 2012-01-04 - 08:12 | almost 13 years |
| 0.1.4 | MIT | 16 | 2011-12-05 - 04:08 | almost 13 years |
| 0.1.3 | MIT | 16 | 2011-11-27 - 04:16 | almost 13 years |
| 0.1.2 | MIT | 16 | 2011-10-23 - 05:12 | about 13 years |
| 0.1.1 | MIT | 16 | 2011-10-14 - 23:34 | about 13 years |
| 0.1.0 | MIT | 16 | 2011-09-15 - 22:03 | about 13 years |
| 0.0.9 | MIT | 16 | 2011-08-27 - 23:49 | about 13 years |
| 0.0.8 | MIT | 16 | 2011-08-26 - 10:30 | about 13 years |
| 0.0.7 | MIT | 16 | 2011-08-25 - 16:48 | about 13 years |
| 0.0.6 | MIT | 16 | 2011-08-23 - 16:59 | about 13 years |
| 0.0.5 | MIT | 16 | 2011-08-19 - 00:54 | about 13 years |
| 0.0.4 | MIT | 16 | 2011-08-18 - 22:27 | about 13 years |
| 0.0.3 | MIT | 16 | 2011-08-14 - 05:09 | over 13 years |
| 0.0.2 | MIT | 16 | 2011-08-14 - 05:05 | over 13 years |
| 0.0.1 | MIT | 16 | 2011-07-24 - 13:15 | over 13 years |