CVE-2022-21680
Cubic catastrophic backtracking (ReDoS) in marked
In short
Marked, a markdown parser, has a flaw in its pattern-matching code that can be exploited by sending specially crafted markdown text, causing the parser to freeze or consume excessive resources and becoming unavailable to other users.
Technical detail
The regular expression in the `block.def` pattern exhibits catastrophic backtracking (ReDoS) when processing certain malicious markdown input. An attacker can send crafted markdown strings to trigger exponential regex matching time, leading to denial of service. This affects any application parsing untrusted markdown with marked versions before 4.0.10 without resource limits or worker thread isolation.
Summary generated and translated by AI from the official description.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
markedjs · markedWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0https://github.com/markedjs/marked/releases/tag/v4.0.10https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hfhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/