Marked version 0.3.13 introduces notable changes compared to its predecessor, version 0.3.12, impacting the development workflow and potentially performance. One key difference lies in the development dependencies. Version 0.3.13 replaces gulp and associated gulp plugins like gulp-concat and gulp-uglify with uglify-js. This signifies a shift in the build process, potentially streamlining it and reducing the overall dependency footprint. Developers should note this change if they're accustomed to using gulp for building this javascript library. While both versions share dependencies like markdown, showdown, markdown-it, front-matter, and glob-to-regexp, the updated version benefits from a more modern JavaScript minification tool in uglify-js, possibly leading to better minification and smaller final bundle sizes.
Both versions remain under the MIT license, ensuring open-source usage flexibility. The core description of Marked as a "markdown parser built for speed" holds true across both versions. However, an interesting observation is the repository URL. The older version points to git://github.com/chjj/marked.git, while the newer version points to git://github.com/markedjs/marked.git. This suggests a potential ownership or maintainership transition of the project. The dist object in version 0.3.13 also adds fileCount and unpackedSize not present in the previous version, offering insight, even thought minimal, into the delivered size of the package. Finally, the release date indicates that version 0.3.13 was released approximately a month after version 0.3.12, indicating a relatively active development cycle. Developers updating should carefully inspect the build process changes because of shifting from gulp to uglify-js.
All the vulnerabilities related to the version 0.3.13 of the package
Marked allows Regular Expression Denial of Service (ReDoS) attacks
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: