ghsa-rrrm-qjm4-v8hf
Vulnerability from github
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def
may cause catastrophic backtracking against some strings.
PoC is the following.
```javascript import * as marked from "marked";
marked.parse([x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x
);
```
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "(marked).parse" ] }, "package": { "ecosystem": "npm", "name": "marked" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.0.10" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-21680" ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-01-14T19:56:20Z", "nvd_published_at": "2022-01-14T17:15:00Z", "severity": "HIGH" }, "details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${\u0027 \u0027.repeat(1500)}x ${\u0027 \u0027.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n", "id": "GHSA-rrrm-qjm4-v8hf", "modified": "2022-01-14T19:56:20Z", "published": "2022-01-14T21:04:41Z", "references": [ { "type": "WEB", "url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/releases/tag/v4.0.10" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Inefficient Regular Expression Complexity in marked" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.