CVE-2022-21681

Exponential catastrophic backtracking (ReDoS) in marked

CVSS 7.5 HIGHEPSS 2.7%CWE-1333 CWE-400

In short

Marked, a markdown parser, contains a regex flaw that can cause extreme slowdowns (ReDoS) when processing certain malicious markdown strings, potentially freezing or crashing applications that parse untrusted markdown without resource limits.

Technical detail

The inline.reflinkSearch regex exhibits exponential catastrophic backtracking (ReDoS) when matching specific input patterns, allowing remote denial of service against applications parsing untrusted markdown. Exploitation requires the victim to process a crafted markdown string through vulnerable marked versions prior to 4.0.10; impact is service unavailability due to CPU exhaustion.

Summary generated and translated by AI from the official description.

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

markedjs · marked

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5 https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/