Jsdoc version 3.5.2 is a patch release following version 3.5.1, both serving as API documentation generators for JavaScript projects. Examining the metadata, the core functionalities and declared dependencies remain identical between versions - both utilize klaw, marked, mkdirp, babylon, taffydb, bluebird, catharsis, requizzle, underscore, js2xmlparser, and strip-json-comments and escape-string-regexp for creating documentation from JavaScript code. Similarly, the development dependencies, used for testing and building the project, are also consistent, incorporating nyc for coverage, a specific commit of tv4 for validation, and gulp, gulp-eslint, and gulp-json-editor for build processes and code quality.
The primary difference lies in the release date: version 3.5.2 was published on July 12, 2017, while version 3.5.1 was released two days prior on July 10, 2017. This suggests that the 3.5.2 includes bug fixes or very minor enhancements addressed in the days between the releases of the two separate versions. For developers already using version 3.5.1, upgrading to 3.5.2 appears as a low-risk upgrade, that is, if they encounter any issues with 3.5.1. If 3.5.1 is working for the developer there is no need to upgrade. Both versions share the same Apache-2.0 license and originate from the jsdoc3 repository on GitHub. Developers seeking to document their JavaScript APIs will find these versions suitable for generating organized and easily navigable documentation and should check the official jsdoc changelog for a detailed list of fixed bugs.
All the vulnerabilities related to the version 3.5.2 of the package
Marked ReDoS due to email addresses being evaluated in quadratic time
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Upgrade to version 0.6.2 or later.
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
TaffyDB can allow access to any data items in the DB
TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. Note: taffy and its successor package taffydb are not maintained.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.