Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4ZjktcGd2di14eDY3
Regular Expression Denial of Service in simple-markdown
Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The SimpleMarkdown.defaultInlineParse() function has significantly degraded performance when parsing inline code blocks.
Recommendation
Upgrade to version 0.5.2 or later.
Permalink: https://github.com/advisories/GHSA-4xf9-pgvv-xx67JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4ZjktcGd2di14eDY3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-4xf9-pgvv-xx67
References:
- https://github.com/Khan/simple-markdown/issues/71
- https://snyk.io/vuln/SNYK-JS-SIMPLEMARKDOWN-460540
- https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816
- https://github.com/advisories/GHSA-4xf9-pgvv-xx67
Blast Radius: 15.5
Affected Packages
npm:simple-markdown
Dependent packages: 100Dependent repositories: 829
Downloads: 362,690 last month
Affected Version Ranges: < 0.5.2
Fixed in: 0.5.2
All affected versions: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1
All unaffected versions: 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3