Inefficient Regular Expression Complexity in marked (GHSA-5v2h-r2cx-5xgj)
- Severity:
- High
Description
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.10
- Patched version(s): 4.0.10
References
Related Issues
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 10 - Vulnerability
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on November 29, 2023