Marked version 1.2.7 introduces subtle refinements compared to its predecessor, version 1.2.6, primarily focusing on development dependencies. While the core functionality of this "markdown parser built for speed" remains consistent, developers should note the updated development environment.
Specifically, @babel/core sees an update from version 7.12.9 to 7.12.10, and @babel/preset-env jumps from 7.12.7 to 7.12.10. This likely addresses minor compilation enhancements or bug fixes within the Babel ecosystem, potentially improving build times or compatibility during development. Also markdown-it goes from version 12.0.2 to 12.0.3.
The dist section reveals a marginal decrease in unpackedSize from 266820 to 266709, suggesting optimizations in the packaged code that reduce the library's footprint. Furthermore, the release date moved from December 10th to December 15th.
For developers using Marked, these changes are unlikely to necessitate immediate code modifications. However, aligning with the latest development dependencies ensures access to the most current tooling and best practices. By staying updated, developers can leverage potential performance improvements and security patches within the build process. Consider reviewing the changelogs of Babel and associated plugins for detailed insights into the specific changes implemented in these minor releases.
All the vulnerabilities related to the version 1.2.7 of the package
Regular Expression Denial of Service (REDoS) in Marked
What kind of vulnerability is it? Who is impacted?
Regular expression Denial of Service
A Denial of Service attack can affect anyone who runs user generated code through marked.
Has the problem been patched? What versions should users upgrade to?
patched in v2.0.0
Is there a way for users to fix or remediate the vulnerability without upgrading?
None.
Are there any links users can visit to find out more?
https://github.com/markedjs/marked/issues/1927 https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: