Inefficient Regular Expression Complexity in marked

Description

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.0.10
• Patched version(s): 4.0.10

References

• GHSA-rrrm-qjm4-v8hf
• lists.fedoraproject.org
• CVE-2022-21680
• CWE-1333
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Inefficient Regular Expression Complexity in marked (GHSA-5v2h-r2cx-5xgj) - CVE-2022-21681
• Moment.js vulnerable to Inefficient Regular Expression Complexity - CVE-2022-31129
• node-fetch Inefficient Regular Expression Complexity - CVE-2022-2596
• steal Inefficient Regular Expression Complexity vulnerability via string variable - CVE-2022-37259

Tags:

npm

marked