CVE-2022-21681

HIGH7.5EPSS 0.69%

Inefficient Regular Expression Complexity in marked

Published: 1/14/2022Modified: 11/8/2023
Also known as:GHSA-5v2h-r2cx-5xgj

Description

### Impact _What kind of vulnerability is it?_ Denial of service. The regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings. PoC is the following. ```javascript import * as marked from 'marked'; console.log(marked.parse(`[x]: x \\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`)); ``` _Who is impacted?_ Anyone who runs untrusted markdown through marked and does not use a worker with a time limit. ### Patches _Has the problem been patched?_ Yes _What versions should users upgrade to?_ 4.0.10 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Do not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources. ### References _Are there any links users can visit to find out more?_ - https://marked.js.org/using_advanced#workers - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS ### For more information If you have any questions or comments about this advisory: * Open an issue in [marked](https://github.com/markedjs/marked)

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)