Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
### Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - copy-0.3.2.tgz - mkdirp-0.5.1.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 3.5%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - request-2.88.0.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.5%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-25949
### Vulnerable Library - set-getter-0.1.0.tgzCreate nested getter properties and any intermediary dot notation (`'a.b.c'`) paths
Library home page: https://registry.npmjs.org/set-getter/-/set-getter-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - copy-0.3.2.tgz - lazy-cache-2.0.2.tgz - :x: **set-getter-0.1.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsPrototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2021-06-10
URL: CVE-2021-25949
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.70000005%
### CVSS 4 Score Details (9.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-06-10
Fix Resolution (set-getter): 0.1.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2022-21681
### Vulnerable Library - marked-0.7.0.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - blessed-contrib-4.8.21.tgz - :x: **marked-0.7.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsMarked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2022-21680
### Vulnerable Library - marked-0.7.0.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - blessed-contrib-4.8.21.tgz - :x: **marked-0.7.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsMarked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2020-28469
### Vulnerable Library - glob-parent-2.0.0.tgzStrips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - copy-0.3.2.tgz - :x: **glob-parent-2.0.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (bitfinex-api-node): 5.0.2
In order to enable automatic remediation, please create workflow rules
WS-2020-0163
### Vulnerable Library - marked-0.7.0.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - blessed-contrib-4.8.21.tgz - :x: **marked-0.7.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailsmarked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-02
Fix Resolution (marked): 1.1.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
CVE-2020-7598
### Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - bitfinex-api-node-5.0.0.tgz (Root Library) - copy-0.3.2.tgz - mkdirp-0.5.1.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailsminimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules