NodeJS/marked/3.0.1

A markdown parser built for speed

Repo Link: https://www.npmjs.com/package/marked
License: MIT

2 Security Vulnerabilities

Inefficient Regular Expression Complexity in marked

Published date: 2022-01-14T21:04:46Z

CVE: CVE-2022-21681

Links:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.1", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.4-1", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.9", "0.3.12", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]

Secure versions: [4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0]

Recommendation: Update to version 15.0.0.

Inefficient Regular Expression Complexity in marked

Published date: 2022-01-14T21:04:41Z

CVE: CVE-2022-21680

Links:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.1", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.4-1", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.9", "0.3.12", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]

Secure versions: [4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0]

Recommendation: Update to version 15.0.0.

181 Other Versions

Version	License	Security	Released
15.0.0	MIT		2024-11-09 - 03:02	4 days
14.1.4	MIT		2024-11-07 - 17:29	6 days
14.1.3	MIT		2024-10-15 - 04:30	29 days
14.1.2	MIT		2024-09-08 - 15:31	2 months
14.1.1	MIT		2024-09-04 - 00:12	2 months
14.1.0	MIT		2024-08-26 - 04:00	3 months
14.0.0	MIT		2024-08-07 - 03:37	3 months
13.0.3	MIT		2024-07-28 - 17:34	4 months
13.0.2	MIT		2024-07-04 - 00:10	4 months
13.0.1	MIT		2024-06-24 - 14:54	5 months
13.0.0	MIT		2024-06-12 - 06:10	5 months
12.0.2	MIT		2024-04-19 - 05:13	7 months
12.0.1	MIT		2024-03-06 - 07:43	8 months
12.0.0	MIT		2024-02-03 - 16:27	9 months
11.2.0	MIT		2024-01-27 - 00:32	10 months
11.1.1	MIT		2023-12-31 - 02:33	11 months
11.1.0	MIT		2023-12-12 - 06:08	11 months
11.0.1	MIT		2023-12-08 - 07:23	11 months
11.0.0	MIT		2023-11-29 - 04:02	12 months
10.0.0	MIT		2023-11-11 - 05:55	about 1 year
9.1.6	MIT		2023-11-10 - 07:48	about 1 year
9.1.5	MIT		2023-11-02 - 04:35	about 1 year
9.1.4	MIT		2023-10-31 - 02:02	about 1 year
9.1.3	MIT		2023-10-28 - 05:17	about 1 year
9.1.2	MIT		2023-10-13 - 19:59	about 1 year
9.1.1	MIT		2023-10-11 - 20:28	about 1 year
9.1.0	MIT		2023-10-05 - 02:12	about 1 year
9.0.3	MIT		2023-09-18 - 17:44	about 1 year
9.0.2	MIT		2023-09-16 - 23:30	about 1 year
9.0.1	MIT		2023-09-15 - 19:30	about 1 year
9.0.0	MIT		2023-09-09 - 23:57	about 1 year
8.0.1	MIT		2023-09-06 - 19:03	about 1 year
8.0.0	MIT		2023-09-03 - 04:08	about 1 year
7.0.5	MIT		2023-08-26 - 16:03	about 1 year
7.0.4	MIT		2023-08-19 - 23:04	about 1 year
7.0.3	MIT		2023-08-15 - 00:21	about 1 year
7.0.2	MIT		2023-08-10 - 05:39	over 1 year
7.0.1	MIT		2023-08-07 - 22:56	over 1 year
7.0.0	MIT		2023-08-06 - 23:54	over 1 year
6.0.0	MIT		2023-07-31 - 21:49	over 1 year
5.1.2	MIT		2023-07-25 - 05:13	over 1 year
5.1.1	MIT		2023-07-07 - 14:46	over 1 year
5.1.0	MIT		2023-06-10 - 03:15	over 1 year
5.0.5	MIT		2023-06-07 - 04:24	over 1 year
5.0.4	MIT		2023-05-30 - 22:28	over 1 year
5.0.3	MIT		2023-05-26 - 16:56	over 1 year
5.0.2	MIT		2023-05-11 - 15:20	over 1 year
5.0.1	MIT		2023-05-06 - 20:52	over 1 year
5.0.0	MIT		2023-05-02 - 04:37	over 1 year
4.3.0	MIT		2023-03-22 - 05:54	over 1 year
4.2.12	MIT		2023-01-14 - 06:41	almost 2 years
4.2.11	MIT		2023-01-14 - 06:28	almost 2 years
4.2.10	MIT		2023-01-14 - 06:18	almost 2 years
4.2.9	MIT		2023-01-14 - 06:02	almost 2 years
4.2.8	MIT		2023-01-14 - 05:07	almost 2 years
4.2.7	MIT		2023-01-14 - 04:46	almost 2 years
4.2.6	MIT		2023-01-14 - 03:52	almost 2 years
4.2.5	MIT		2022-12-23 - 15:42	almost 2 years
4.2.4	MIT		2022-12-07 - 07:48	almost 2 years
4.2.3	MIT		2022-11-20 - 16:10	almost 2 years
4.2.2	MIT		2022-11-05 - 00:44	about 2 years
4.2.1	MIT		2022-11-02 - 02:07	about 2 years
4.2.0	MIT		2022-10-31 - 23:10	about 2 years
4.1.1	MIT		2022-10-01 - 01:35	about 2 years
4.1.0	MIT		2022-08-30 - 14:40	about 2 years
4.0.19	MIT		2022-08-21 - 16:24	about 2 years
4.0.18	MIT		2022-07-11 - 15:17	over 2 years
4.0.17	MIT		2022-06-13 - 03:18	over 2 years
4.0.16	MIT		2022-05-17 - 13:32	over 2 years
4.0.15	MIT		2022-05-02 - 06:14	over 2 years
4.0.14	MIT		2022-04-11 - 00:38	over 2 years
4.0.13	MIT		2022-04-08 - 01:54	over 2 years
4.0.12	MIT		2022-01-27 - 04:12	almost 3 years
4.0.11	MIT		2022-01-26 - 21:52	almost 3 years
4.0.10	MIT		2022-01-13 - 02:03	almost 3 years
4.0.9	MIT	2	2022-01-06 - 15:33	almost 3 years
4.0.8	MIT	2	2021-12-19 - 00:22	almost 3 years
4.0.7	MIT	2	2021-12-09 - 23:59	almost 3 years
4.0.6	MIT	2	2021-12-02 - 03:19	almost 3 years
4.0.5	MIT	2	2021-11-25 - 00:12	almost 3 years
4.0.4	MIT	2	2021-11-19 - 14:09	almost 3 years
4.0.3	MIT	2	2021-11-13 - 04:33	about 3 years
4.0.2	MIT	2	2021-11-12 - 21:39	about 3 years
4.0.1	MIT	2	2021-11-11 - 02:35	about 3 years
4.0.0	MIT	2	2021-11-02 - 14:42	about 3 years
3.0.8	MIT	2	2021-10-24 - 05:05	about 3 years
3.0.7	MIT	2	2021-10-07 - 14:02	about 3 years
3.0.6	MIT	2	2021-10-06 - 21:57	about 3 years
3.0.5	MIT	2	2021-10-06 - 20:34	about 3 years
3.0.4	MIT	2	2021-09-14 - 17:50	about 3 years
3.0.3	MIT	2	2021-09-08 - 20:22	about 3 years
3.0.2	MIT	2	2021-08-25 - 02:25	about 3 years
3.0.1	MIT	2	2021-08-23 - 18:49	about 3 years
3.0.0	MIT	2	2021-08-16 - 03:09	about 3 years
2.1.3	MIT	2	2021-06-25 - 20:15	over 3 years
2.1.2	MIT	2	2021-06-22 - 17:27	over 3 years
2.1.1	MIT	2	2021-06-16 - 13:50	over 3 years
2.1.0	MIT	2	2021-06-15 - 23:23	over 3 years
2.0.7	MIT	2	2021-06-01 - 19:28	over 3 years
2.0.6	MIT	2	2021-05-27 - 16:17	over 3 years