NodeJS/marked/2.0.2
A markdown parser built for speed
https://www.npmjs.com/package/marked
MIT
2 Security Vulnerabilities
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:46Z
CVE: CVE-2022-21681
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.0.0.
Inefficient Regular Expression Complexity in marked
Published date: 2022-01-14T21:04:41Z
CVE: CVE-2022-21680
Links:
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Affected versions:
["0.0.2", "0.0.5", "0.0.6", "0.1.0", "0.1.3", "0.1.4", "0.1.6", "0.1.8", "0.2.0", "0.2.1", "0.2.4-1", "0.2.5", "0.2.9", "0.2.10", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.9", "0.3.12", "0.5.0", "0.5.1", "0.5.2", "0.6.1", "0.6.3", "0.7.0", "1.0.0", "1.2.0", "1.1.2", "1.2.1", "1.2.3", "0.0.1", "0.0.3", "0.0.4", "0.0.7", "0.0.8", "0.0.9", "0.1.1", "0.1.2", "0.1.5", "0.1.7", "0.1.9", "0.2.2", "0.2.2-1", "0.2.3", "0.2.4", "0.2.6", "0.2.7", "0.2.8", "0.3.7", "0.3.13", "0.3.14", "0.3.15", "0.3.16", "0.3.17", "0.3.18", "0.3.19", "0.4.0", "0.6.0", "0.6.2", "0.8.0", "0.8.1", "0.8.2", "1.1.0", "1.1.1", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "2.0.0", "2.0.1", "2.0.3", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9"]
Secure versions:
[10.0.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 15.0.0, 15.0.1, 15.0.10, 15.0.11, 15.0.12, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 16.0.0, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.10, 4.2.11, 4.2.12, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 8.0.0, 8.0.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6]
Recommendation:
Update to version 16.0.0.
194 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 16.0.0 | MIT | 2025-06-27 - 04:49 | 4 days | |
| 15.0.12 | MIT | 2025-05-20 - 05:03 | about 1 month | |
| 15.0.11 | MIT | 2025-04-25 - 00:47 | 2 months | |
| 15.0.10 | MIT | 2025-04-23 - 20:59 | 2 months | |
| 15.0.9 | MIT | 2025-04-21 - 23:09 | 2 months | |
| 15.0.8 | MIT | 2025-04-07 - 15:08 | 3 months | |
| 15.0.7 | MIT | 2025-02-10 - 00:04 | 5 months | |
| 15.0.6 | MIT | 2025-01-06 - 16:02 | 6 months | |
| 15.0.5 | MIT | 2025-01-02 - 15:41 | 6 months | |
| 15.0.4 | MIT | 2024-12-15 - 02:24 | 7 months | |
| 15.0.3 | MIT | 2024-11-29 - 05:25 | 7 months | |
| 15.0.2 | MIT | 2024-11-20 - 23:18 | 7 months | |
| 15.0.1 | MIT | 2024-11-18 - 04:59 | 8 months | |
| 15.0.0 | MIT | 2024-11-09 - 03:02 | 8 months | |
| 14.1.4 | MIT | 2024-11-07 - 17:29 | 8 months | |
| 14.1.3 | MIT | 2024-10-15 - 04:30 | 9 months | |
| 14.1.2 | MIT | 2024-09-08 - 15:31 | 10 months | |
| 14.1.1 | MIT | 2024-09-04 - 00:12 | 10 months | |
| 14.1.0 | MIT | 2024-08-26 - 04:00 | 10 months | |
| 14.0.0 | MIT | 2024-08-07 - 03:37 | 11 months | |
| 13.0.3 | MIT | 2024-07-28 - 17:34 | 11 months | |
| 13.0.2 | MIT | 2024-07-04 - 00:10 | 12 months | |
| 13.0.1 | MIT | 2024-06-24 - 14:54 | about 1 year | |
| 13.0.0 | MIT | 2024-06-12 - 06:10 | about 1 year | |
| 12.0.2 | MIT | 2024-04-19 - 05:13 | about 1 year | |
| 12.0.1 | MIT | 2024-03-06 - 07:43 | over 1 year | |
| 12.0.0 | MIT | 2024-02-03 - 16:27 | over 1 year | |
| 11.2.0 | MIT | 2024-01-27 - 00:32 | over 1 year | |
| 11.1.1 | MIT | 2023-12-31 - 02:33 | over 1 year | |
| 11.1.0 | MIT | 2023-12-12 - 06:08 | over 1 year | |
| 11.0.1 | MIT | 2023-12-08 - 07:23 | over 1 year | |
| 11.0.0 | MIT | 2023-11-29 - 04:02 | over 1 year | |
| 10.0.0 | MIT | 2023-11-11 - 05:55 | over 1 year | |
| 9.1.6 | MIT | 2023-11-10 - 07:48 | over 1 year | |
| 9.1.5 | MIT | 2023-11-02 - 04:35 | over 1 year | |
| 9.1.4 | MIT | 2023-10-31 - 02:02 | over 1 year | |
| 9.1.3 | MIT | 2023-10-28 - 05:17 | over 1 year | |
| 9.1.2 | MIT | 2023-10-13 - 19:59 | over 1 year | |
| 9.1.1 | MIT | 2023-10-11 - 20:28 | over 1 year | |
| 9.1.0 | MIT | 2023-10-05 - 02:12 | over 1 year | |
| 9.0.3 | MIT | 2023-09-18 - 17:44 | almost 2 years | |
| 9.0.2 | MIT | 2023-09-16 - 23:30 | almost 2 years | |
| 9.0.1 | MIT | 2023-09-15 - 19:30 | almost 2 years | |
| 9.0.0 | MIT | 2023-09-09 - 23:57 | almost 2 years | |
| 8.0.1 | MIT | 2023-09-06 - 19:03 | almost 2 years | |
| 8.0.0 | MIT | 2023-09-03 - 04:08 | almost 2 years | |
| 7.0.5 | MIT | 2023-08-26 - 16:03 | almost 2 years | |
| 7.0.4 | MIT | 2023-08-19 - 23:04 | almost 2 years | |
| 7.0.3 | MIT | 2023-08-15 - 00:21 | almost 2 years | |
| 7.0.2 | MIT | 2023-08-10 - 05:39 | almost 2 years |