Regular Expression Denial of Service in marked (GHSA-x5pg-88wf-qq4p)

Description

Affected versions of marked are vulnerable to a regular expression denial of service.

The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.3.9
• Patched version(s): 0.3.9

References

• GHSA-x5pg-88wf-qq4p
• www.npmjs.com
• CVE-2017-16114
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) - CVE-2020-28500
• Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 2 - CVE-2020-28500
• Regular expression denial of service in jquery-validation (GHSA-j9m2-h2pv-wvph) - CVE-2021-43306
• Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266

Tags:

npm

marked