NodeJS/marked/0.6.2
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
3 Security Vulnerabilities
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:46Z
CVE: CVE-2022-21681
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 16.1.0, 16.1.1, 16.1.2, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.4.2.
Regular Expression Denial of Service in marked
Published date: 2020-09-03T18:15:53Z
Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.
Recommendation
Upgrade to version 0.7.0 or later.
Affected versions:
["0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.4.0", "0.6.0", "0.6.2"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 16.1.0, 16.1.1, 16.1.2, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.4.2.
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:41Z
CVE: CVE-2022-21680
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 16.1.0, 16.1.1, 16.1.2, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.4.2.
203 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 16.4.2 | MIT | 2025-11-06 - 22:29 | about 23 hours | |
| 16.4.1 | MIT | 2025-10-17 - 07:26 | 22 days | |
| 16.4.0 | MIT | 2025-10-07 - 03:35 | about 1 month | |
| 16.3.0 | MIT | 2025-09-14 - 14:33 | about 2 months | |
| 16.2.1 | MIT | 2025-08-27 - 13:08 | 2 months | |
| 16.2.0 | MIT | 2025-08-18 - 00:58 | 3 months | |
| 16.1.2 | MIT | 2025-08-04 - 02:30 | 3 months | |
| 16.1.1 | MIT | 2025-07-18 - 14:52 | 4 months | |
| 16.1.0 | MIT | 2025-07-17 - 15:04 | 4 months | |
| 16.0.0 | MIT | 2025-06-27 - 04:49 | 4 months | |
| 15.0.12 | MIT | 2025-05-20 - 05:03 | 6 months | |
| 15.0.11 | MIT | 2025-04-25 - 00:47 | 7 months | |
| 15.0.10 | MIT | 2025-04-23 - 20:59 | 7 months | |
| 15.0.9 | MIT | 2025-04-21 - 23:09 | 7 months | |
| 15.0.8 | MIT | 2025-04-07 - 15:08 | 7 months | |
| 15.0.7 | MIT | 2025-02-10 - 00:04 | 9 months | |
| 15.0.6 | MIT | 2025-01-06 - 16:02 | 10 months | |
| 15.0.5 | MIT | 2025-01-02 - 15:41 | 10 months | |
| 15.0.4 | MIT | 2024-12-15 - 02:24 | 11 months | |
| 15.0.3 | MIT | 2024-11-29 - 05:25 | 11 months | |
| 15.0.2 | MIT | 2024-11-20 - 23:18 | 12 months | |
| 15.0.1 | MIT | 2024-11-18 - 04:59 | 12 months | |
| 15.0.0 | MIT | 2024-11-09 - 03:02 | 12 months | |
| 14.1.4 | MIT | 2024-11-07 - 17:29 | about 1 year | |
| 14.1.3 | MIT | 2024-10-15 - 04:30 | about 1 year | |
| 14.1.2 | MIT | 2024-09-08 - 15:31 | about 1 year | |
| 14.1.1 | MIT | 2024-09-04 - 00:12 | about 1 year | |
| 14.1.0 | MIT | 2024-08-26 - 04:00 | about 1 year | |
| 14.0.0 | MIT | 2024-08-07 - 03:37 | over 1 year | |
| 13.0.3 | MIT | 2024-07-28 - 17:34 | over 1 year | |
| 13.0.2 | MIT | 2024-07-04 - 00:10 | over 1 year | |
| 13.0.1 | MIT | 2024-06-24 - 14:54 | over 1 year | |
| 13.0.0 | MIT | 2024-06-12 - 06:10 | over 1 year | |
| 12.0.2 | MIT | 2024-04-19 - 05:13 | over 1 year | |
| 12.0.1 | MIT | 2024-03-06 - 07:43 | over 1 year | |
| 12.0.0 | MIT | 2024-02-03 - 16:27 | almost 2 years | |
| 11.2.0 | MIT | 2024-01-27 - 00:32 | almost 2 years | |
| 11.1.1 | MIT | 2023-12-31 - 02:33 | almost 2 years | |
| 11.1.0 | MIT | 2023-12-12 - 06:08 | almost 2 years | |
| 11.0.1 | MIT | 2023-12-08 - 07:23 | almost 2 years | |
| 11.0.0 | MIT | 2023-11-29 - 04:02 | almost 2 years | |
| 10.0.0 | MIT | 2023-11-11 - 05:55 | almost 2 years | |
| 9.1.6 | MIT | 2023-11-10 - 07:48 | almost 2 years | |
| 9.1.5 | MIT | 2023-11-02 - 04:35 | about 2 years | |
| 9.1.4 | MIT | 2023-10-31 - 02:02 | about 2 years | |
| 9.1.3 | MIT | 2023-10-28 - 05:17 | about 2 years | |
| 9.1.2 | MIT | 2023-10-13 - 19:59 | about 2 years | |
| 9.1.1 | MIT | 2023-10-11 - 20:28 | about 2 years | |
| 9.1.0 | MIT | 2023-10-05 - 02:12 | about 2 years | |
| 9.0.3 | MIT | 2023-09-18 - 17:44 | about 2 years |