NodeJS/marked/0.8.0
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
2 Security Vulnerabilities
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:46Z
CVE: CVE-2022-21681
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.0.0.
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:41Z
CVE: CVE-2022-21680
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.0.0.
194 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.0.6 | MIT | 2 | 2021-10-06 - 21:57 | over 3 years |
| 3.0.5 | MIT | 2 | 2021-10-06 - 20:34 | over 3 years |
| 3.0.4 | MIT | 2 | 2021-09-14 - 17:50 | almost 4 years |
| 3.0.3 | MIT | 2 | 2021-09-08 - 20:22 | almost 4 years |
| 3.0.2 | MIT | 2 | 2021-08-25 - 02:25 | almost 4 years |
| 3.0.1 | MIT | 2 | 2021-08-23 - 18:49 | almost 4 years |
| 3.0.0 | MIT | 2 | 2021-08-16 - 03:09 | almost 4 years |
| 2.1.3 | MIT | 2 | 2021-06-25 - 20:15 | about 4 years |
| 2.1.2 | MIT | 2 | 2021-06-22 - 17:27 | about 4 years |
| 2.1.1 | MIT | 2 | 2021-06-16 - 13:50 | about 4 years |
| 2.1.0 | MIT | 2 | 2021-06-15 - 23:23 | about 4 years |
| 2.0.7 | MIT | 2 | 2021-06-01 - 19:28 | about 4 years |
| 2.0.6 | MIT | 2 | 2021-05-27 - 16:17 | about 4 years |
| 2.0.5 | MIT | 2 | 2021-05-21 - 20:54 | about 4 years |
| 2.0.4 | MIT | 2 | 2021-05-20 - 13:44 | about 4 years |
| 2.0.3 | MIT | 2 | 2021-04-11 - 19:09 | about 4 years |
| 2.0.2 | MIT | 2 | 2021-04-10 - 20:23 | about 4 years |
| 2.0.1 | MIT | 2 | 2021-02-27 - 05:52 | over 4 years |
| 2.0.0 | MIT | 2 | 2021-02-07 - 22:26 | over 4 years |
| 1.2.9 | MIT | 3 | 2021-02-03 - 19:48 | over 4 years |
| 1.2.8 | MIT | 3 | 2021-01-26 - 14:21 | over 4 years |
| 1.2.7 | MIT | 3 | 2020-12-15 - 20:15 | over 4 years |
| 1.2.6 | MIT | 3 | 2020-12-10 - 16:30 | over 4 years |
| 1.2.5 | MIT | 3 | 2020-11-19 - 14:32 | over 4 years |
| 1.2.4 | MIT | 3 | 2020-11-15 - 02:05 | over 4 years |
| 1.2.3 | MIT | 3 | 2020-11-04 - 21:25 | over 4 years |
| 1.2.2 | MIT | 3 | 2020-10-21 - 14:58 | over 4 years |
| 1.2.1 | MIT | 3 | 2020-10-21 - 14:51 | over 4 years |
| 1.2.0 | MIT | 3 | 2020-09-28 - 05:09 | almost 5 years |
| 1.1.2 | MIT | 3 | 2020-10-21 - 14:40 | over 4 years |
| 1.1.1 | MIT | 3 | 2020-07-14 - 01:54 | almost 5 years |
| 1.1.0 | MIT | 2 | 2020-05-16 - 21:45 | about 5 years |
| 1.0.0 | MIT | 2 | 2020-04-21 - 01:07 | about 5 years |
| 0.8.2 | MIT | 2 | 2020-03-22 - 15:44 | over 5 years |
| 0.8.1 | MIT | 2 | 2020-03-18 - 21:44 | over 5 years |
| 0.8.0 | MIT | 2 | 2019-12-12 - 20:49 | over 5 years |
| 0.7.0 | MIT | 2 | 2019-07-06 - 04:13 | almost 6 years |
| 0.6.3 | MIT | 3 | 2019-06-30 - 02:11 | about 6 years |
| 0.6.2 | MIT | 3 | 2019-04-05 - 14:32 | about 6 years |
| 0.6.1 | MIT | 4 | 2019-02-19 - 20:03 | over 6 years |
| 0.6.0 | MIT | 5 | 2019-01-01 - 00:49 | over 6 years |
| 0.5.2 | MIT | 5 | 2018-11-20 - 00:04 | over 6 years |
| 0.5.1 | MIT | 5 | 2018-09-26 - 01:51 | almost 7 years |
| 0.5.0 | MIT | 5 | 2018-08-16 - 22:07 | almost 7 years |
| 0.4.0 | MIT | 4 | 2018-05-21 - 13:05 | about 7 years |
| 0.3.19 | MIT | 3 | 2018-03-26 - 02:59 | over 7 years |
| 0.3.18 | MIT | 3 | 2018-03-22 - 17:01 | over 7 years |
| 0.3.17 | MIT | 3 | 2018-02-27 - 13:07 | over 7 years |
| 0.3.16 | MIT | 3 | 2018-02-20 - 20:56 | over 7 years |
| 0.3.15 | MIT | 3 | 2018-02-19 - 04:26 | over 7 years |