Marked version 2.0.5 is a minor update to the popular markdown parsing library, building upon the previous stable version 2.0.4. Both versions share the same core functionality, providing a fast and efficient way to convert markdown text into HTML. Developers will find that the API and main features remain consistent, ensuring a smooth transition if upgrading. The description and licensing (MIT) also remains the same.
A key difference lies in the dist object, where unpackedSize has slightly increased in version 2.0.5 to 287545 compared to 287197 in version 2.0.4; This could indicate minor fixes, small performance enhancements, or updates to included documentation. Another notable change is the releaseDate, where version 2.0.5 was released on 2021-05-21T20:54:29.259Z while version 2.0.4 had release date 2021-05-20T13:44:11.822Z, which is one day apart.
Developers should upgrade primarily to benefit from potential bug fixes, security patches, or incremental performance improvements included in the newer release. While the devDependencies remain identical, indicating no changes in the testing or build process, keeping dependencies updated is crucial for project maintenance. Due to the minor nature of this version bump, the upgrade is expected to be straightforward, with minimal risk of breaking changes making it worthwhile for developers seeking a more secure and performant markdown parser.
All the vulnerabilities related to the version 2.0.5 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: