Jsdoc, a widely-used API documentation generator for JavaScript, released version 3.5.3, a minor update following version 3.5.2. Both versions share the same core purpose: generating comprehensive documentation from JavaScript code. Underneath the hood, they maintain a similar structure, with identical descriptions, licenses (Apache-2.0), repository links, and author information (Michael Mathews). The dependency list sees relative parity, employing key libraries such as "klaw," "marked," "mkdirp," "babylon," "taffydb," "bluebird," "requizzle," "underscore," "js2xmlparser," "strip-json-comments," and "escape-string-regexp" to perform its core functions. Development dependencies, crucial for building and testing the project, including "nyc," "tv4," "gulp," "gulp-eslint," and "gulp-json-editor," are also consistent between the versions.
The primary distinction lies within the updated patch. The "catharsis" dependency was bumped from version 0.8.8 in 3.5.2 to 0.8.9 in 3.5.3. Catharsis is responsible for parsing JSDoc types. Developers should note this minor update as it likely addresses bug fixes or minor enhancements in type parsing, potentially improving the accuracy and reliability of generated documentation, specifically in handling complex type annotations. Furthermore, version 3.5.3 was released on "2017-07-14", a couple of days after version 3.5.2 which was released on "2017-07-12", suggesting a swift response to address issues or implement minor improvements identified shortly after the previous release. Therefore, upgrading to 3.5.3 offers the benefit of incorporating these immediate refinements, offering a more robust and polished documenting experience.
All the vulnerabilities related to the version 3.5.3 of the package
Marked ReDoS due to email addresses being evaluated in quadratic time
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Upgrade to version 0.6.2 or later.
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
TaffyDB can allow access to any data items in the DB
TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. Note: taffy and its successor package taffydb are not maintained.
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.