Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRyNjItdjR2cS1ocjk2
Regular Expression Denial of Service (REDoS) in Marked
Impact
What kind of vulnerability is it? Who is impacted?
Regular expression Denial of Service
A Denial of Service attack can affect anyone who runs user generated code through marked.
Patches
Has the problem been patched? What versions should users upgrade to?
patched in v2.0.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
None.
References
Are there any links users can visit to find out more?
https://github.com/markedjs/marked/issues/1927 https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRyNjItdjR2cS1ocjk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 10 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-4r62-v4vq-hr96, CVE-2021-21306
References:
- https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
- https://github.com/markedjs/marked/issues/1927
- https://github.com/markedjs/marked/pull/1864
- https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
- https://www.npmjs.com/package/marked
- https://nvd.nist.gov/vuln/detail/CVE-2021-21306
- https://github.com/advisories/GHSA-4r62-v4vq-hr96
Affected Packages
npm:marked
Versions: >= 1.1.1, < 2.0.0Fixed in: 2.0.0