Inefficient Regular Expression Complexity in marked

Description

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.0.10
• Patched version(s): 4.0.10

References

• GHSA-rrrm-qjm4-v8hf
• lists.fedoraproject.org
• CVE-2022-21680
• CWE-1333
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Inefficient Regular Expression Complexity in marked (GHSA-5v2h-r2cx-5xgj) - CVE-2022-21681
• steal Inefficient Regular Expression Complexity vulnerability via string variable - CVE-2022-37259
• node-fetch Inefficient Regular Expression Complexity - CVE-2022-2596
• Moment.js vulnerable to Inefficient Regular Expression Complexity - CVE-2022-31129

Tags:

npm

marked