The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
This PR contains the following updates:
^3.0.2->^4.0.0GitHub Vulnerability Alerts
CVE-2022-21680
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression
block.defmay cause catastrophic backtracking against some strings. PoC is the following.Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
CVE-2022-21681
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression
inline.reflinkSearchmay cause catastrophic backtracking against some strings. PoC is the following.Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
markedjs/marked (marked)
### [`v4.0.10`](https://togithub.com/markedjs/marked/releases/tag/v4.0.10) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.9...v4.0.10) ##### Bug Fixes - **security:** fix redos vulnerabilities ([8f80657](https://togithub.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5)) ### [`v4.0.9`](https://togithub.com/markedjs/marked/releases/tag/v4.0.9) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.8...v4.0.9) ##### Bug Fixes - retain line breaks in tokens properly ([#2341](https://togithub.com/markedjs/marked/issues/2341)) ([a9696e2](https://togithub.com/markedjs/marked/commit/a9696e28989c0bea2077885bab1844525e18a031)) ### [`v4.0.8`](https://togithub.com/markedjs/marked/releases/tag/v4.0.8) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.7...v4.0.8) ##### Bug Fixes - spaces on a newline after a table ([#2319](https://togithub.com/markedjs/marked/issues/2319)) ([f82ea2c](https://togithub.com/markedjs/marked/commit/f82ea2cf1be0a3ad3337bcafe1c4dd3182334bb9)) ### [`v4.0.7`](https://togithub.com/markedjs/marked/releases/tag/v4.0.7) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.6...v4.0.7) ##### Bug Fixes - Fix every third list item broken ([#2318](https://togithub.com/markedjs/marked/issues/2318)) ([346b162](https://togithub.com/markedjs/marked/commit/346b162bb787d3b7fb1d4879c859f64155c6ca3c)), closes [#2314](https://togithub.com/markedjs/marked/issues/2314) ### [`v4.0.6`](https://togithub.com/markedjs/marked/releases/tag/v4.0.6) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.5...v4.0.6) ##### Bug Fixes - speed up parsing long lists ([#2302](https://togithub.com/markedjs/marked/issues/2302)) ([e0005d8](https://togithub.com/markedjs/marked/commit/e0005d8232a08827f5e99b8b35b09728b2b07503)) ### [`v4.0.5`](https://togithub.com/markedjs/marked/releases/tag/v4.0.5) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.4...v4.0.5) ##### Bug Fixes - table after paragraph without blank line ([#2298](https://togithub.com/markedjs/marked/issues/2298)) ([5714212](https://togithub.com/markedjs/marked/commit/5714212afd4a9ee0864fff70bad034f7c0842a3c)) ### [`v4.0.4`](https://togithub.com/markedjs/marked/releases/tag/v4.0.4) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.3...v4.0.4) ##### Bug Fixes - fix cli ([#2294](https://togithub.com/markedjs/marked/issues/2294)) ([ab2977a](https://togithub.com/markedjs/marked/commit/ab2977a3363230df51ccbb2b3f8bf46389c50283)) ### [`v4.0.3`](https://togithub.com/markedjs/marked/releases/tag/v4.0.3) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.2...v4.0.3) ##### Bug Fixes - build min from umd ([#2283](https://togithub.com/markedjs/marked/issues/2283)) ([ea26ea9](https://togithub.com/markedjs/marked/commit/ea26ea9bdf7aad4e4c645f85e8e816e80a2be6c2)) ### [`v4.0.2`](https://togithub.com/markedjs/marked/releases/tag/v4.0.2) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.1...v4.0.2) ##### Bug Fixes - Create separate CJS and UMD builds ([#2281](https://togithub.com/markedjs/marked/issues/2281)) ([62faaf4](https://togithub.com/markedjs/marked/commit/62faaf4c912151dfe361d0459d5e89a439c38fd4)) ### [`v4.0.1`](https://togithub.com/markedjs/marked/releases/tag/v4.0.1) [Compare Source](https://togithub.com/markedjs/marked/compare/v4.0.0...v4.0.1) ##### Bug Fixes - Set commonJS code as `main` in `package.json` ([#2276](https://togithub.com/markedjs/marked/issues/2276)) ([7e636d5](https://togithub.com/markedjs/marked/commit/7e636d5a0b04b43f2b67a2abb2b8ae35a5122a42)) ### [`v4.0.0`](https://togithub.com/markedjs/marked/releases/tag/v4.0.0) [Compare Source](https://togithub.com/markedjs/marked/compare/v3.0.8...v4.0.0) ##### Bug Fixes - Convert to ESM ([#2227](https://togithub.com/markedjs/marked/issues/2227)) ([4afb228](https://togithub.com/markedjs/marked/commit/4afb228d956a415624c4e5554bb8f25d047676fe)) ##### BREAKING CHANGES - Default export removed. Use `import { marked } from 'marked'` or `const { marked } = require('marked')` instead. - `/lib/marked.js` removed. Use `/marked.min.js` in script tag instead. - When using marked in a script tag use `marked.parse(...)` instead of `marked(...)`Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.