Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic…
GitHub_M·CWE-1333·Published 2022-01-14
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
### Impact _What kind of vulnerability is it?_ Denial of service. The regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings. PoC is the following. ```javascript import * as marked from 'marked'; console.log(marked.parse(`[x]: x \\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`)); ``` _Who is impacted?_ Anyone who runs untrusted markdown through marked and does not use a worker with a time limit. ### Patches _Has the problem been patched?_ Yes _What versions should users upgrade to?_ 4.0.10 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Do not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources. ### References _Are there any links users can visit to find out more?_ - https://marked.js.org/using_advanced#workers - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS ### For more information If you have any questions or comments about this advisory: * Open an issue in [marked](https://github.com/markedjs/marked)
### Impact _What kind of vulnerability is it?_ Denial of service. The regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings. PoC is the following. ```javascript import * as marked from 'marked'; console.log(marked.parse(`[x]: x \\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`)); ``` _Who is impacted?_ Anyone who runs untrusted markdown through marked and does not use a worker with a time limit. ### Patches _Has the problem been patched?_ Yes _What versions should users upgrade to?_ 4.0.10 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Do not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources. ### References _Are there any links users can visit to find out more?_ - https://marked.js.org/using_advanced#workers - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS ### For more information If you have any questions or comments about this advisory: * Open an issue in [marked](https://github.com/markedjs/marked)
Marked es un analizador y compilador de markdown. En versiones anteriores a 4.0.10, la expresión regular "inline.reflinkSearch" podía causar un retroceso catastrófico contra algunas cadenas y conllevar a una denegación de servicio (DoS). Cualquiera que ejecute markdown no confiable mediante una versión vulnerable de marked y no use un trabajador con límite de tiempo puede verse afectado. Este problema está parcheado en la versión 4.0.10. Como medida de mitigación, evite ejecutar markdown no confiable mediante marked o ejecute marked en un hilo de trabajo y establezca un límite de tiempo razonable para evitar el agotamiento de los recursos
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |