CVE-2022-21680

描述

### Impact _What kind of vulnerability is it?_ Denial of service. The regular expression `block.def` may cause catastrophic backtracking against some strings. PoC is the following. ```javascript import * as marked from "marked"; marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`); ``` _Who is impacted?_ Anyone who runs untrusted markdown through marked and does not use a worker with a time limit. ### Patches _Has the problem been patched?_ Yes _What versions should users upgrade to?_ 4.0.10 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Do not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources. ### References _Are there any links users can visit to find out more?_ - https://marked.js.org/using_advanced#workers - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS ### For more information If you have any questions or comments about this advisory: * Open an issue in [marked](https://github.com/markedjs/marked)

受影響套件(2)

• Debian/node-markedfrom 0
• npm/markedfrom 0, < 4.0.10

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-21680
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-21680
• PATCHhttps://github.com/markedjs/marked
• WEBhttps://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
• WEBhttps://github.com/markedjs/marked/releases/tag/v4.0.10
• WEBhttps://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX