CVE-2022-21681 — Uncontrolled Resource Consumption in Marked

CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service CWE-186 — Overly Restrictive Regular Expression6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Markedjs Marked Marked Project Marked Debian Node-marked +1 more

Timeline

PublishedJan 14

Description

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasona…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5markedjs/marked< 4.0.10

▶debiandebian/node-marked< node-marked 4.0.12+ds+~4.0.1-1 (bookworm)

▶NVDmarked_project/marked< 4.0.10

▶npmmarked_project/marked< 4.0.10

Also affects: Fedora 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Inefficient Regular Expression Complexity in marked↗2022-01-14

▶

OSV

Inefficient Regular Expression Complexity in marked↗2022-01-14

▶

OSV

CVE-2022-21681: Marked is a markdown parser and compiler↗2022-01-14

▶

📋Vendor Advisories

Red Hat

marked: regular expression inline.reflinkSearch may lead Denial of Service↗2022-01-14

▶

Debian

CVE-2022-21681: node-marked - Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular e...↗2022

▶