Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
HIGH Vulnerable Package issue exists @ marked in branch master
Description
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression
block.defmay cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.HIGH Vulnerable Package issue exists @ marked in branch master
Vulnerability ID: CVE-2022-21680
Package Name: marked
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2022-01-14T17:15:00
Current Package Version: 0.3.9
Remediation Upgrade Recommendation: 4.0.10
Link To SCA
Reference – NVD link