Regular Expression Denial of Service in marked - marked

Description

Affected versions of marked are vulnerable to a regular expression denial of service.

The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.3.9
• Patched version(s): 0.3.9

References

• GHSA-x5pg-88wf-qq4p
• www.npmjs.com
• CVE-2017-16114
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Regular Expression Denial of Service in slug - CVE-2017-16117
• Regular Expression Denial of Service in moment - CVE-2017-18214
• Regular Expression Denial of Service in string package - CVE-2017-16116
• Regular Expression Denial of Service in timespan - CVE-2017-16115

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

marked