Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2022–21680 #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2022–21680 #4

wants to merge 1 commit into from

Conversation

debricked-staging[bot]
Copy link

CVE–2022–21680

Vulnerable dependency:     marked (Yarn)    0.4.0

Vulnerable dependency:     marked (npm)    0.4.0

Vulnerability details

Description

NVD

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

GitHub

Inefficient Regular Expression Complexity in marked

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
References

    Inefficient Regular Expression Complexity in marked · CVE-2022-21680 · GitHub Advisory Database · GitHub
    NVD - CVE-2022-21680
    Merge pull request from GHSA-rrrm-qjm4-v8hf · markedjs/marked@c4a3ccd · GitHub
    Cubic catastrophic backtracking (ReDoS) in block.def · Advisory · markedjs/marked · GitHub
    Release v4.0.10 · markedjs/marked · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2022_21680-020c9399787bd56a branch from fb12a9e to 1cc5fce Compare March 22, 2022 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants