marked : 0.3.6

Security Vulnerabilities

Title: Sanitization bypass using HTML Entities
Recommendation: Upgrade to version 0.3.6 or greater.
Source: nodesecurity
Severity: medium
NSP: 101
Security Score (CVSSv2): 5.3
Author: Matt Austin
Published: 2016-04-18T16:45:00.000Z
Affected versions: <=0.3.5
Patched versions: >=0.3.6

marked is an application that is meant to parse and compile markdown.

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.

This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

For example:

If a malicious user could provide this input to the application javascript&#x58document;alert&#40;1&#41; resulting in a valid link, that when a user clicked it would execute alert(1).


Title: Regular Expression Denial of Service
Recommendation: Consider another markdown parser until the issue can be addressed.
Source: nodesecurity
NSP: 531
Security Score (CVSSv2): 7.5
Author: Cristian-Alexandru Staicu
Published: 2017-09-21T20:41:26.470Z
Affected versions: <0.3.9
Patched versions: >=0.3.9

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.


Description

A markdown parser built for speed

Summary

2.721 software packages are referencing this project.
This project is a Rockstar! If that many other packages are referencing it, it must be good and useful. As a Node.JS dev you should know this project.
This version number (0.3.6) fits semantic versioning 2.0.0!

Keywords

markdown markup html

Dependencies

0 Compile Dependencies
Dependency Badge

5 Development Dependencies
Required Newest
gulp ^3.8.11 3.9.1
gulp-concat ^2.5.2 2.6.1
gulp-uglify ^1.1.0 2.0.0
markdown * 0.5.0
showdown * 1.5.5

NPM

NPM install
npm install marked@0.3.6 -g 
package.json
"marked": "0.3.6"
Download

1 Comments

Federico Soave at Sep 15, 2016 - 15:06
The HTML entities for : are either &colon; &#58; or &#x3a; , all of which are covered by marked 0.3.6. The example provided (&#x58) does not produce a colon and therefore no javascript code is injected.
larsilus at Sep 24, 2016 - 07:02
Hi, just concerning your list of html entities, based on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences there could be maybe more variations than the listed ones, depending on the situation.
larsilus at Sep 24, 2016 - 07:02
Hi, just concerning your list of html entities, based on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences there could be maybe more variations than the listed ones, depending on the situation.

Leave a comment

Sign in to leave a comment.