CVE-2022-21681 Exponential catastrophic backtracking (ReDoS) in marked

2022-01-1400:00:00

CWE-1333

CWE-400

GitHub_M

www.cve.org

cve-2022-21681

exponential catastrophic backtracking

marked markdown parser

denial of service

regular expression

dos

untrusted markdown

workaround

version 4.0.10

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

60.8%

JSON

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

CNA Affected

[
  {
    "vendor": "markedjs",
    "product": "marked",
    "versions": [
      {
        "version": "< 4.0.10",
        "status": "affected"
      }
    ]
  }
]