Inefficient Regular Expression Complexity in marked (GHSA-5v2h-r2cx-5xgj)
- Severity:
- High
Description
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.10
- Patched version(s): 4.0.10
References
Related Issues
- Inefficient Regular Expression Complexity in marked - CVE-2022-21680
- node-fetch Inefficient Regular Expression Complexity - CVE-2022-2596
- Moment.js vulnerable to Inefficient Regular Expression Complexity - CVE-2022-31129
- steal Inefficient Regular Expression Complexity vulnerability via string variable - CVE-2022-37259
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on November 29, 2023