Marked ReDoS due to email addresses being evaluated in quadratic time
- Severity:
- Medium
Description
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.3.14, < 0.6.2
- Patched version(s): 0.6.2
References
Related Issues
- Regular Expression Denial of Service in marked (GHSA-x5pg-88wf-qq4p) - CVE-2017-16114
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function - CVE-2025-3194
- Marp Core allows XSS by improper neutralization of HTML sanitization - CVE-2024-56510
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on January 11, 2023