Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Link | Resource |
---|---|
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 | Patch Third Party Advisory |
https://github.com/markedjs/marked/releases/tag/v4.0.10 | Release Notes Third Party Advisory |
https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf | Exploit Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/ |
Configurations
History
24 Jul 2023, 13:54
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | |
CWE |
08 Oct 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-1333 CWE-400 |
24 Jan 2022, 19:31
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:* | |
References | (CONFIRM) https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/markedjs/marked/releases/tag/v4.0.10 - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 - Patch, Third Party Advisory | |
CWE | NVD-CWE-Other | |
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
14 Jan 2022, 17:59
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-14 17:15
Updated : 2024-02-04 22:08
NVD link : CVE-2022-21680
Mitre link : CVE-2022-21680
CVE.ORG link : CVE-2022-21680
JSON object : View
Products Affected
fedoraproject
- fedora
marked_project
- marked