Marked ReDoS due to email addresses being evaluated in quadratic time
dependabot-gitlab has detected security vulnerability for marked in path: /, manifest_file: /package.json but was unable to update it!
| Package | Severity | Affected versions | Patched versions | IDs |
|---|---|---|---|---|
| marked (NPM) | MODERATE | >= 0.3.14, < 0.6.2 | 0.6.2 | GHSA-xf5p-87ch-gxw2 |
Description
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
Upgrade to version 0.6.2 or later.
References
- https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d
- https://github.com/markedjs/marked/pull/1460
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://www.npmjs.com/advisories/812
- https://github.com/markedjs/marked/releases/tag/v0.6.2
- https://github.com/advisories/GHSA-xf5p-87ch-gxw2