Regular Expression Denial of Service

Description

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

• Affected version(s): >= 0.5.0, < 0.6.1
• Patched version(s): 0.6.1

References

• GHSA-7m7q-q53v-j47v
• bugzilla.redhat.com

Related Issues

• Regular Expression Denial of Service in marked - marked - GHSA-ch52-vgq2-943f - Vulnerability
• tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
• prismjs Regular Expression Denial of Service vulnerability - CVE-2021-3801
• useragent Regular Expression Denial of Service vulnerability - CVE-2020-26311

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

marked