The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
For more information on CVSS3 Scores, click here.
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2015-0020
### Vulnerable Library - marked-0.3.5.tgz
Marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `NNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - marked-0.3.5.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Vulnerabilities
Details
CVE-2017-16114
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsThe marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Publish Date: 2018-06-07
URL: CVE-2017-16114
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. :rescue_worker_helmet: Automatic Remediation is available for this issueWS-2015-0020
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsMarked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.
Publish Date: 2015-05-20
URL: WS-2015-0020
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2015-0020
Release Date: 2015-05-20
Fix Resolution (marked): MIDIator.WebClient - 1.0.105;AvailableLight - 1.0.8;z4a-dotnet-scaffold - 1.0.0.3;Raml.Parser - 1.0.7;marked - 0.3.6
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueWS-2018-0031
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsThe affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities
Publish Date: 2018-03-23
URL: WS-2018-0031
### CVSS 2 Score Details (7.1)Base Score Metrics not available
### Suggested FixType: Change files
Release Date: 2015-05-19
Fix Resolution (marked): Replace or update the following files: links.sanitize.html, marked.js, links.sanitize.text
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2016-10531
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability Detailsmarked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `NNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
Publish Date: 2018-05-31
URL: CVE-2016-10531
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nodesecurity.io/advisories/101
Release Date: 2016-04-18
Fix Resolution (marked): Update to version 0.3.6 or later.
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2017-1000427
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability Detailsmarked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
Publish Date: 2018-01-02
URL: CVE-2017-1000427
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427
Release Date: 2019-12-16
Fix Resolution (marked): 0.3.7
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueWS-2019-0026
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsVersions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity
Publish Date: 2017-12-23
URL: WS-2019-0026
### CVSS 2 Score Details (5.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Release Date: 2019-03-17
Fix Resolution (marked): 0.3.9
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueWS-2019-0027
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsVersions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Publish Date: 2018-02-26
URL: WS-2019-0027
### CVSS 2 Score Details (5.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Release Date: 2019-03-17
Fix Resolution (marked): 0.3.18
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issueWS-2019-0025
### Vulnerable Library - marked-0.3.5.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy: - :x: **marked-0.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsVersions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.
Publish Date: 2017-12-23
URL: WS-2019-0025
### CVSS 2 Score Details (5.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Release Date: 2019-03-17
Fix Resolution (marked): 0.3.9
Direct dependency fix Resolution (marked): 0.3.6
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.