Version Details and Security Vulnerabilities

📦

docpress

0.8.0

Comparision Betweeen 0.8.0 and 0.7.9

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

45.2 KB

44.92 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

docpress

0.8.0

Comparision Betweeen 0.8.0 and 0.7.9

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

45.2 KB

44.92 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.0 of the package docpress.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.0 of the package

Summary:

Regular Expression Denial of Service in postcss

Details:

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}

postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Details about postcss@5.2.5

Summary:

PostCSS line return parsing error

Details:

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Details about postcss@5.2.5

Summary:

Pug allows JavaScript code execution if an application accepts untrusted input

Details:

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Details about pug@2.0.4

Summary:

Remote code execution via the pretty option.

Details:

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: https://github.com/pugjs/pug/issues/3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

Details about pug@2.0.4

Summary:

Pug allows JavaScript code execution if an application accepts untrusted input

Details:

Details about pug-code-gen@2.0.3

Summary:

Prototype Pollution in extend

Details:

Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

Recommendation

If you're using extend 3.x upgrade to 3.0.2 or later. If you're using extend 2.x upgrade to 2.0.2 or later.

Details about extend@1.3.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.pick@4.4.0

Summary:

ReDOS vulnerabities: multiple grammars

Details:

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)

oswasp:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service).

This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable. Exponential grammars (C, Perl, JavaScript) are auto-registered when using the common grammar subset/library require('highlight.js/lib/common') as of 10.4.0 - see https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@10.4.0/build/highlight.js

All versions prior to 10.4.1 are vulnerable, including version 9.18.5.

Grammars with exponential backtracking issues:

c-like (c, cpp, arduino)
handlebars (htmlbars)
gams
perl
jboss-cli
r
erlang-repl
powershell
routeros
livescript (10.4.0 and 9.18.5 included this fix)
javascript & typescript (10.4.0 included partial fixes)

And of course any aliases of those languages have the same issue. ie: hpp is no safer than cpp.

Grammars with polynomial backtracking issues:

kotlin
gcode
d
aspectj
moonscript
coffeescript/livescript
csharp
scilab
crystal
elixir
basic
ebnf
ruby
fortran/irpf90
livecodeserver
yaml
x86asm
dsconfig
markdown
ruleslanguage
xquery
sqf

And again: any aliases of those languages have the same issue. ie: ruby and rb share the same ruby issues.

Patches

Version 10.4.1 resolves these vulnerabilities. Please upgrade.

Workarounds / Mitigations

Discontinue use the affected grammars. (or perhaps use only those with poly vs exponential issues)
Attempt cherry-picking the grammar fixes into older versions...
Attempt using newer CDN versions of any affected languages. (ie using an older CDN version of the library with newer CDN grammars). Your mileage may vary.

References

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue: https://github.com/highlightjs/highlight.js/issues
Email us at security@highlightjs.com

Details about highlight.js@9.18.5

Summary:

Uncontrolled Resource Consumption in markdown-it

Details:

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

Details about markdown-it@10.0.0

Summary:

markdown-it-decorate vulnerable to cross-site scripting (XSS)

Details:

markdown-it-decorate adds attributes, IDs and classes to Markdown, and the most recent version 1.2.2 was published in 2017. All versions are currently vulnerable to cross-site scripting (XSS) and there is no fixed version at this time

Details about markdown-it-decorate@1.2.2

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.7.0

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.7.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.0 of the package docpress.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.0 of the package

Summary:

Regular Expression Denial of Service in postcss

Details:

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}

postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Details about postcss@5.2.5

Summary:

PostCSS line return parsing error

Details:

Details about postcss@5.2.5

Summary:

Pug allows JavaScript code execution if an application accepts untrusted input

Details:

Details about pug@2.0.4

Summary:

Remote code execution via the pretty option.

Details:

Impact

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: https://github.com/pugjs/pug/issues/3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

Details about pug@2.0.4

Summary:

Pug allows JavaScript code execution if an application accepts untrusted input

Details:

Details about pug-code-gen@2.0.3

Summary:

Prototype Pollution in extend

Details:

Recommendation

If you're using extend 3.x upgrade to 3.0.2 or later. If you're using extend 2.x upgrade to 2.0.2 or later.

Details about extend@1.3.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Prototype Pollution in lodash

Details:

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.pick@4.4.0

Summary:

ReDOS vulnerabities: multiple grammars

Details:

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)

oswasp:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

All versions prior to 10.4.1 are vulnerable, including version 9.18.5.

Grammars with exponential backtracking issues:

c-like (c, cpp, arduino)
handlebars (htmlbars)
gams
perl
jboss-cli
r
erlang-repl
powershell
routeros
livescript (10.4.0 and 9.18.5 included this fix)
javascript & typescript (10.4.0 included partial fixes)

And of course any aliases of those languages have the same issue. ie: hpp is no safer than cpp.

Grammars with polynomial backtracking issues:

kotlin
gcode
d
aspectj
moonscript
coffeescript/livescript
csharp
scilab
crystal
elixir
basic
ebnf
ruby
fortran/irpf90
livecodeserver
yaml
x86asm
dsconfig
markdown
ruleslanguage
xquery
sqf

And again: any aliases of those languages have the same issue. ie: ruby and rb share the same ruby issues.

Patches

Version 10.4.1 resolves these vulnerabilities. Please upgrade.

Workarounds / Mitigations

Discontinue use the affected grammars. (or perhaps use only those with poly vs exponential issues)
Attempt cherry-picking the grammar fixes into older versions...
Attempt using newer CDN versions of any affected languages. (ie using an older CDN version of the library with newer CDN grammars). Your mileage may vary.

References

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue: https://github.com/highlightjs/highlight.js/issues
Email us at security@highlightjs.com

Details about highlight.js@9.18.5

Summary:

Uncontrolled Resource Consumption in markdown-it

Details:

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

Details about markdown-it@10.0.0

Summary:

markdown-it-decorate vulnerable to cross-site scripting (XSS)

Details:

Details about markdown-it-decorate@1.2.2

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.7.0

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.7.0

Version Details and Security Vulnerabilities

docpress

Comparision Betweeen 0.8.0 and 0.7.9

Security Vulnerabilities

Version Details and Security Vulnerabilities

docpress

Comparision Betweeen 0.8.0 and 0.7.9

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

postcss@5.2.5 GHSA-566m-qj78-rww5 5.3

PoC

postcss@5.2.5 GHSA-7fh5-64p2-3v2j 5.3

pug@2.0.4 GHSA-3965-hpx2-q597 6.8

pug@2.0.4 GHSA-p493-635q-r6gr 6.8

Impact

Patches

Workarounds

References

For more information

pug-code-gen@2.0.3 GHSA-3965-hpx2-q597 6.8

extend@1.3.0 GHSA-qrmc-fj45-qfc2 N/A

Recommendation

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

lodash.pick@4.4.0 GHSA-p6mc-m468-83gw 7.4

highlight.js@9.18.5 GHSA-7wwv-vh3v-89cq N/A

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)

Patches

Workarounds / Mitigations

References

For more information

markdown-it@10.0.0 GHSA-6vfc-qv3f-vr6c 5.3

Impact

Patches

Workarounds

References

markdown-it-decorate@1.2.2 GHSA-rhf5-2378-3w3w 6.1

marked@0.7.0 GHSA-5v2h-r2cx-5xgj 7.5

Impact

Patches

Workarounds

References

For more information

marked@0.7.0 GHSA-rrrm-qjm4-v8hf 7.5

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

postcss@5.2.5 GHSA-566m-qj78-rww5 5.3

PoC

postcss@5.2.5 GHSA-7fh5-64p2-3v2j 5.3

pug@2.0.4 GHSA-3965-hpx2-q597 6.8

pug@2.0.4 GHSA-p493-635q-r6gr 6.8

Impact

Patches

Workarounds

References

For more information

pug-code-gen@2.0.3 GHSA-3965-hpx2-q597 6.8

extend@1.3.0 GHSA-qrmc-fj45-qfc2 N/A

Recommendation

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

lodash.pick@4.4.0 GHSA-p6mc-m468-83gw 7.4

highlight.js@9.18.5 GHSA-7wwv-vh3v-89cq N/A

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)

Patches

Workarounds / Mitigations

References

For more information

markdown-it@10.0.0 GHSA-6vfc-qv3f-vr6c 5.3

Impact