Cubic catastrophic backtracking (ReDoS) in marked
CVE-2022-21680

7.5HIGH

Key Information:

Vendor: Markedjs
Status: Marked
Vendor: CVE Published:; 14 January 2022

What is CVE-2022-21680?

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Affected Version(s)

marked < 4.0.10

References

https://github.com/markedjs/marked/security/advisories/GH...

https://github.com/markedjs/marked/commit/c4a3ccd344b6929...

https://github.com/markedjs/marked/releases/tag/v4.0.10

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2022
Vulnerability Reserved
Nov 16, 2021

CVE-2022-21680 Data

JSON

Markedjs

What is CVE-2022-21680?

Affected Version(s)

References

CVSS V3.1

Timeline