Description
Affected versions of marked are vulnerable to a regular expression denial of service.
The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.9
- Patched version(s): 0.3.9
References
Related Issues
- Regular Expression Denial of Service in timespan - CVE-2017-16115
- Regular expression denial of service in jquery-validation (GHSA-j9m2-h2pv-wvph) - CVE-2021-43306
- Regular Expression Denial Of Service in uri-js - CVE-2017-16021
- regular expression denial of service (ReDoS) (GHSA-r92x-f52r-x54g) - CVE-2020-26289
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on September 07, 2023