Marked version 1.0.0 introduces several notable updates compared to version 0.8.2, potentially impacting developers utilizing this markdown parsing library. One significant change lies in the updated development dependencies. Version 1.0.0 sees updates to rollup, bumping it from version 2.1.0 to version 2.6.1. Furthermore, uglify-js is updated from version 3.8.0 to 3.9.1, and @babel/preset-env is incremented from 7.9.0 to 7.9.5. Eslint-plugin-node moves from version 11.0.0 to 11.1.0. Version 1.0.0 also includes a bump in @markedjs/html-differ from version 3.0.0 to 3.0.1 and rollup-plugin-license moving from version 0.13.0 to version 2.0.0.
These alterations suggest improvements in the bundling process, JavaScript code minification and transpilation, potentially leading to better performance and compatibility with modern JavaScript environments. Specifically, the upgrade to rollup-plugin-license could indicate enhanced license management during the build process. While these dependency upgrades generally point towards stability improvements and potential bug fixes within the developer tooling, the core functionality of the marked library as a markdown parser likely remains consistent. Developers might observe subtle improvements in build times or output size. The unpacked size of the package has increased from 191332 to 223332. The release date also highlights the recency of version 1.0.0, indicating that it incorporates more recent updates and community contributions.
All the vulnerabilities related to the version 1.0.0 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: